<pre><code>CVE ID: CVE-2024-30922<br /><br />Description:<br />A SQL Injection vulnerability has been identified in DerbyNet version 9.0, specifically affecting the 'where' clause in Award Document Rendering through the component `print/render/award.inc`. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information without requiring authentication.<br /><br />Vulnerability Type: SQL Injection<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: print/render/award.inc<br /><br />Attack Type: Remote<br /><br />Impact:<br />- Code execution: True<br />- Information Disclosure: True<br /><br />Attack Vectors:<br />The vulnerability in the document rendering endpoint, particularly within `print/render/award.inc`, is exposed to an unauthenticated SQL Injection. This flaw allows attackers to manipulate SQL queries by injecting malicious SQL code, potentially leading to unauthorized data access and manipulation.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30928<br /><br />Description:<br />An SQL Injection vulnerability has been discovered in DerbyNet version 9.0, particularly within the `ajax/query.slide.next.inc` file. This vulnerability allows remote attackers to execute arbitrary code and disclose sensitive information by exploiting the unvalidated `classids` parameter used in constructing SQL queries. This parameter is not properly sanitized before being included in the SQL statement, leading to a critical risk of SQL Injection.<br /><br />Vulnerability Type: SQL Injection<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: ajax/query.slide.next.inc<br /><br />Attack Type: Remote<br /><br />Impacts:<br />- Code execution: True<br />- Information Disclosure: True<br /><br />Attack Vectors:<br />The vulnerability is primarily exploited by manipulating the `classids` parameter in the user's request to the `ajax/query.slide.next.inc` file. The lack of adequate input validation allows attackers to inject malicious SQL code through this parameter. Example attack vectors include:<br /><br />- Direct exploitation:<br />- `http://127.0.0.1:8000/action.php?query=slide.next&mode=racer&classids=1`<br /><br />- Boolean-based blind SQL Injection:<br />- Payload: `query=slide.next&mode=racer&classids=1) AND 4365=4365 AND (6880=6880`<br /><br />- UNION query SQL Injection:<br />- Payload: `query=slide.next&mode=racer&classids=-3890) UNION ALL SELECT NULL,NULL,CHAR(113,107,120,122,113)||CHAR(79,97,117,85,112,79,82,85,75,114,65,66,118,100,117,107,79,118,111,104,67,105,87,86,72,110,107,119,113,86,106,107,115,100,110,109,98,77,85,115)||CHAR(113,118,120,120,113),NULL,NULL,NULL,NULL,NULL-- rDzQ`<br /><br />These vectors demonstrate how an attacker could manipulate SQL queries to potentially access or manipulate database information unauthorizedly.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30929<br /><br />Description:<br />A Cross-Site Scripting (XSS) vulnerability has been found in DerbyNet version 9.0, affecting the `playlist.php` component. This issue allows remote attackers to execute arbitrary code by exploiting the `back` parameter. The application does not properly sanitize the `back` parameter before it is rendered on the page, thereby allowing the injection and execution of arbitrary JavaScript code.<br /><br />Vulnerability Type: Cross-Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: playlist.php<br /><br />Attack Type: Remote<br /><br />Impact: Code execution<br /><br />Attack Vectors:<br />The vulnerability can be exploited by crafting a URL that includes malicious JavaScript code as part of the `back` parameter. An example of such a URL is:<br />- http://127.0.0.1:8000/playlist.php?back="><script>alert(1)</script><br /><br />This example demonstrates how an attacker could inject and execute JavaScript within the context of the webpage, leading to potential security risks such as session hijacking, phishing, or unauthorized actions performed on behalf of the user.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30927<br /><br />Description:<br />A Cross-Site Scripting (XSS) vulnerability is present in DerbyNet version 9.0, specifically within the `racer-results.php` component. This issue allows remote attackers to execute arbitrary code through the improper handling of the `racerid` parameter. The vulnerability is notably present within the HTML `<title>` tag, where the `racerid` parameter value is dynamically inserted directly into the page content without any sanitization or encoding.<br /><br />Vulnerability Type: Cross-Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: racer-results.php<br /><br />Attack Type: Remote<br /><br />Impact: Code execution<br /><br />Attack Vectors:<br />The XSS vulnerability can be exploited by inserting malicious JavaScript code into the `racerid` parameter of the URL. For example:<br />- `http://127.0.0.1:8000/racer-results.php?racerid=</title><script>alert(1)</script>`<br /><br />This method demonstrates how an attacker could manipulate the `racerid` parameter to inject and execute arbitrary JavaScript within the context of a user's session.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30926<br /><br />Description:<br />A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, affecting the `./inc/kiosks.inc` component. This vulnerability permits remote attackers to execute arbitrary code by exploiting the `address_for_current_kiosk()` function. The issue stems from the improper sanitization of user-supplied input via the URL parameters `id` and `address`, which are directly utilized without validation. This oversight allows the execution of malicious JavaScript code through crafted URLs.<br /><br />Vulnerability Type: Cross-Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: ./inc/kiosks.inc<br /><br />Attack Type: Remote<br /><br />Impact: Code execution<br /><br />Attack Vectors:<br />The vulnerability can be exploited by manipulating URL parameters to inject malicious scripts. Examples include:<br />- `http://127.0.0.1:8000/kiosk.php?id=<script>alert(1)</script>`<br />- `http://127.0.0.1:8000/kiosk.php?address=<script>alert(1)</script>`<br /><br />These manipulations demonstrate how an attacker could leverage unsanitized input to execute arbitrary JavaScript in the context of a user's session.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30925<br /><br />Description:<br />A Cross-Site Scripting (XSS) vulnerability exists in DerbyNet version 9.0, specifically within the `photo-thumbs.php` component. This issue enables a remote attacker to execute arbitrary code through the improper handling of the `racerid` and `back` parameters. The vulnerability arises because the application dynamically generates URLs for navigation without adequately sanitizing these parameters, thus allowing the injection of malicious scripts.<br /><br />Vulnerability Type: Cross-Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: photo-thumbs.php<br /><br />Attack Type: Remote<br /><br />Impact: Code execution<br /><br />Attack Vectors:<br />The XSS vulnerability can be exploited through manipulation of the `racerid` and `back` parameters in the URL. Examples of such manipulation include:<br />- http://127.0.0.1:8000/photo-thumbs.php?repo=head&racerid=</script><script>alert(1)</script><br />- http://127.0.0.1:8000/photo-thumbs.php?back="><script>alert(1)</script></div><br /><br />These URLs demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30924<br /><br />Description:<br />A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically within the `checkin.php` component. This vulnerability allows remote attackers to execute arbitrary code due to improper handling of the `order` URL parameter. The flaw lies in the way the `order` parameter is embedded directly into a JavaScript variable assignment without adequate sanitization or encoding, making it possible to inject scripts.<br /><br />Vulnerability Type: Cross Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: checkin.php<br /><br />Attack Type: Remote<br /><br />Impact: Code execution is possible as a result of this vulnerability.<br /><br />Attack Vectors:<br />The XSS vulnerability can be exploited by manipulating the `order` parameter in the URL. For example:<br />- `http://127.0.0.1:8000/checkin.php?order=</script><script>alert(1)</script>`<br />- `http://127.0.0.1:8000/checkin.php?order=';alert(1);//`<br /><br />These attack vectors demonstrate how an attacker could inject and execute arbitrary JavaScript within the context of the user's browser session.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30921<br /><br />Description:<br />A Cross-Site Scripting (XSS) vulnerability has been identified in DerbyNet version 9.0, specifically affecting the photo.php component. This vulnerability allows remote attackers to execute arbitrary code via crafted URLs, without requiring authentication.<br /><br />Vulnerability Type: Cross-Site Scripting (XSS)<br /><br />Vendor of Product: DerbyNet - Available on GitHub: https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base: DerbyNet - v9.0<br /><br />Affected Component: photo.php<br /><br />Attack Type: Remote<br /><br />Impact: Code execution<br /><br />Attack Vectors: The vulnerability can be exploited by navigating to a specially crafted URL such as:<br />- http://127.0.0.1:8000/photo.php/<img src=x onerror=alert(1)><br /><br />This method allows the attacker to inject arbitrary JavaScript that will be executed in the context of the victim's browser.<br /><br />Discoverer: Valentin Lobstein<br /><br />References:<br />- Official website: http://derbynet.com<br />- Source code on GitHub: https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code>CVE ID: CVE-2024-30920<br /><br />Description:<br />A Cross Site Scripting (XSS) vulnerability has been identified in DerbyNet v9.0, specifically within the `render-document.php` component. This vulnerability allows a remote attacker to execute arbitrary code via crafted URLs. The root cause of the vulnerability is the application's failure to properly sanitize user input in document rendering paths, which permits the injection of malicious scripts.<br /><br />Vulnerability Type: XSS (Cross Site Scripting)<br /><br />Vendor of Product:<br />DerbyNet - https://github.com/jeffpiazza/derbynet<br /><br />Affected Product Code Base:<br />DerbyNet - v9.0<br /><br />Affected Component:<br />render-document.php<br /><br />Attack Type:<br />Remote<br /><br />Impact:<br />Code execution<br /><br />Root Cause:<br />The vulnerability arises from the application's display of debug information, including `ORIG_SCRIPT_FILENAME`, `DOCUMENT_URI`, `SCRIPT_NAME`, and `PHP_SELF`. These debug outputs improperly handle user-supplied input by not sanitizing it before inclusion in the output, leading directly to XSS vulnerabilities when malicious inputs are rendered by the browser.<br /><br />Attack Vectors:<br />The vulnerability can be exploited with URLs such as:<br />- `http://127.0.0.1:8000/render-document.php/racer/<img src=x onerror=alert(1)>`<br />- `http://127.0.0.1:8000/render-document.php/<img src=x onerror=alert(1)>`<br /><br />Discoverer:<br />Valentin Lobstein<br /><br />References:<br />- http://derbynet.com<br />- https://github.com/jeffpiazza/derbynet<br /><br /></code></pre>
<pre><code># Exploit Title: Seo Panel 4.7.0 Reflected XSS<br /># Exploit Author: Arzu DEMÝREZ<br /># Date: 05.03-2024<br /># Vendor Homepage: https://www.seopanel.org/<br /># Software Link: https://github.com/seopanel/Seo-Panel/releases/tag/4.7.0<br /># Version: Seo Panel 4.7.0<br /><br /><br /><br />-Description:<br /> A cross-site scripting (XSS) issue in the SEO admin login panel version 4.7.0 allows remote attackers to inject JavaScript.<br /><br />- used:<br />x" onmouseover=alert(document.cookie) x="<br /><br />Review Of Analysis:<br />Ýn archive.ctp.php file include search_form and search_name input load on that script at line 71 as<br /><a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a><br />because of that an attacker if send that code<br />x" onmouseover=alert(document.cookie) x="<br />can exploit the victim.<br /><br /><form id='search_form'><br /> <table width="100%" class="search"><br /> <tr><br /> <th><?php echo $spText['common']['Name']?>: </th><br /> <td><br /> <input type="text" name="search_name" value="<?php echo htmlentities($searchInfo['search_name'], ENT_QUOTES)?>" onblur="<?php echo $submitLink?>"><br /> </td><br /> <th><?php echo $spText['common']['Period']?>:</th><br /> <td colspan="2"><br /> <input type="text" value="<?php echo $fromTime?>" name="from_time" id="from_time_summary"/><br /> <input type="text" value="<?php echo $toTime?>" name="to_time" id="to_time_summary"/><br /> <script><br /> $( function() {<br /> $( "#from_time_summary, #to_time_summary").datepicker({dateFormat: "yy-mm-dd"});<br /> } );<br /> </script><br /> </td><br /> <tr><br /> <tr><br /> <th><?php echo $spText['common']['Website']?>: </th><br /> <td><br /> <select name="website_id" id="website_id" onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 180px;"><br /> <option value="">-- <?php echo $spText['common']['Select']?> --</option><br /> <?php foreach($siteList as $websiteInfo){?><br /> <?php if($websiteInfo['id'] == $websiteId){?><br /> <option value="<?php echo $websiteInfo['id']?>" selected><?php echo $websiteInfo['name']?></option><br /> <?php }else{?><br /> <option value="<?php echo $websiteInfo['id']?>"><?php echo $websiteInfo['name']?></option><br /> <?php }?><br /> <?php }?><br /> </select><br /> </td><br /> <th><?php echo $spText['label']['Report Type']?>: </th><br /> <td><br /> <select name="report_type" id="report_type" onchange="scriptDoLoadPost('archive.php', 'search_form', 'content')" style="width: 210px;"><br /> <option value="">-- <?php echo $spText['common']['Select']?> --</option><br /> <?php foreach($reportTypes as $type => $info){?><br /> <?php if($type == $searchInfo['report_type']){?><br /> <option value="<?php echo $type?>" selected><?php echo $info?></option><br /> <?php }else{?><br /> <option value="<?php echo $type?>"><?php echo $info?></option><br /> <?php }?><br /> <?php }?><br /> </select><br /> <a href="javascript:void(0);" onclick="scriptDoLoadPost('archive.php', 'search_form', 'content')" class="actionbut"><?php echo $spText['button']['Search']?></a><br /><br /><br />Saygýlarýmla / Best Regards,<br /><br /><br /><br />[cid:e33e203c-58cd-46ba-b1ea-f27e999dc68d]<br /></code></pre>
