Skip to content

Instantly share code, notes, and snippets.

View farid007's full-sized avatar
🏠
Working from home

farid hashmi farid007

🏠
Working from home
View GitHub Profile
@farid007
farid007 / ios - ssh - password.txt
Created June 8, 2023 19:18 — forked from lyqflnh/ios - ssh - password.txt
ways to change password of the root or mobile account of ur jailbreak ios device
#if u have the root password which default is "alpine"
1.login as root, using command "ssh root@ip address"
2.type ur password: alpine
3.type command "passwd" to change ur root password
4.when it is done, type command "passwd mobile" to change the mobile passwd
#if u forget ur root passwd
1.open the file named "master.password" at /private/etc on ur jailbreak ios device
2.find the string like this:
root:xxxxxxxxxxxxx:0:0::0:0:System Administrator:/var/root:/bin/sh
@farid007
farid007 / CSRF in PyroCMS
Last active October 8, 2020 10:25
CSRF in PyroCMS which leads to deletion of plugins (CVE-2020-25263)
Product-: PyroCMS
CVE: CVE-2020-25263
Version: (,3.7) 3.7 Tested
Vulnerability-: Deletion of plugin via Cross-Site Request Forgery(CSRF).
Download-: https://github.com/pyrocms/pyrocms
@farid007
farid007 / CSRF in PyroCMS
Last active October 16, 2020 21:57
CSRF in PyroCMS Which leads to deletion of pages (CVE-2020-25262)
Product-: PyroCMS
CVE: CVE-2020-25262
Version: (,3.7) 3.7 Tested
Vulnerability-: Deletion of pages via Cross-Site Request Forgery(CSRF).
Download-: https://github.com/pyrocms/pyrocms
@farid007
farid007 / NeDI 1.9C Bypass XSS
Last active June 28, 2020 18:36
NeDI 1.9C Bypass function
CVE-2020-14413
NeDi 1.9C is vulnerable to XSS because of an incorrect implementation of sanitize() in inc/libmisc.php. This function attempts to escape the SCRIPT tag from user-controllable values, but can be easily bypassed, as demonstrated by an onerror attribute of an IMG element as a Devices-Config.php?sta= value.
Steps to reproduce :
> Note: every parameters is exploitable (Which are being displayed and stored).
> Login to the application.
> Go to "https://ip/Devices-Config.php?sta="><img src=x onerror=alert(1)>"
> Js Code will be executed.
@farid007
farid007 / NeDi 1.9C RCE
Created June 28, 2020 18:32
NeDi 1.9C Authenticated RCE (CVE-2020-14414)
CVE-2020-14414
NeDi 1.9C is vulnerable to Remote Command Execution. pwsec.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a pw parameter. (This can also be exploited via CSRF.)
Steps To Reproduce-:
>
> Login with the credential.
> Go to https://ip/pwsec.php.
> Insert any data in the first field then intercept the request.
@farid007
farid007 / NeDI 1.9C RCE
Last active June 28, 2020 18:29
NeDi 1.9C Authenticated RCE (CVE-2020-14412)
CVE-2020-14412
NeDi 1.9C is vulnerable to Remote Command Execution. System-Snapshot.php improperly escapes shell metacharacters from a POST request. An attacker can exploit this by crafting an arbitrary payload (any system commands) that contains shell metacharacters via a POST request with a psw parameter.
(This can also be exploited via CSRF.)
Steps To Reproduce-:
> Login with the credential.
> Go to https://ip/System-Snapshot.php.
@farid007
farid007 / Rconfig Multiple Vulnerabilities
Last active May 18, 2020 04:28
Rconfig 3.9.4 Session Fixation and XSS
1. Cross-Site Scripting (XSS) (CVE-2020-12256)
The rConfig 3.9.4 is vulnerable to cross-site scripting. The devicemgmnt.php file improperly validates the request coming from the user input. Due to this flaw, An attacker can exploit this vulnerability by crafting arbitrary javascript
("><script>alert(document.cookie)</script>) in `deviceId` GET parameter of devicemgmnt.php resulting in execution of the
javascript.
Step To Reproduce-:
1. Login with the credential.
2. Go to https://ip-rconfig/devicemgmt.php?deviceId="><script>alert(document.cookie)</script>
@farid007
farid007 / Rconfig CSRF Exploit
Last active May 19, 2020 09:14
Rconfig 3.9.4 CSRF
Cross-Site Request Forgery (CSRF) (CVE-2020-12257)
The rConfig 3.9.4 is vulnerable to cross-site request forgery (CSRF).
Due to no implementation of CSRF protection such as CSRF token.
An attacker can leverage this vulnerability by creating a form (add the user or delete the user or edit user)
and host this form on his server and share this form to victims through social engineering methods.
once the victims who are already authenticated to the rConfig clicks upon the form, unintended actions will be performed on the victim's behalf.
Steps To Reproduce-:
@farid007
farid007 / Rconfig File Upload RCE Exploit
Last active November 15, 2022 06:17
Rconfig 3.9.4 File Upload RCE
Remote Code Execution via File Upload (CVE-2020-12255)
The rConfig 3.9.4 is vulnerable to remote code execution due to improper checks/validation via the file upload functionality.
The vendor.crud.php accepts the file upload by checking through content-type and it is not restricting upload by checking the file extension and header.
Due to this flaw, An attacker can exploit this vulnerability by uploading a PHP file that contains arbitrary code (shell) and changing the content-type to `image/gif` in the vendor.crud.php.
since the validation checks are happening through content-type the server would accept the PHP file uploaded ultimately resulting code execution upon the response when invoked.
Steps To Reproduce-: